We've got a Linux-based VPN configured between two offices. The VPN works fine and I can ping hosts directly connected to the firewall/VPN servers on both remote offices.

At this remote office we have a basic single subnet, but at the other office we have an internal router that splits the network into 3 seperate ones.

From the other office I can ping all my hosts, but when I try to ping the remote networks the tracert shows them bypassing the VPN tunnel and heading out across the Internet.

I'll try and stick up a diagram to show what I'm meaning.

Stefan

You need to edit the routing tables to send the packets you want to certain addresses down the VPN,ie from a dos prompt/bat file

route add 15.0.0.0 MASK 255.0.0.0 16.45.161.99 METRIC 1

http://www.hosw08898.pwp.blueyonder....images/vpn.jpg

Yeah, I understand the routes but they don't seem to be working.

These are the routes I've created:-

network subnet gateway
192.168.52.0 255.255.255.0 192.168.10.1
192.168.54.0 255.255.255.0 192.168.52.1
192.168.56.0 255.255.255.0 192.168.52.1

Under the VPN configuration, you tell it the left/right IP addresses (i.e. both public IP addresses) and the left/right subnets you connect too.

If I tracert 192.168.52.1, it disappears up the VPN tunnel. If I tracert and other subnet is goes out across the net.

It works fine from the other direction (networks shown on right-side of diagram).

Stefan

Are all the networks listed in the Security Association. You shouldn't need to add static routes if the VPN devices are you default gateways at each site.

I would guess that your extra networks arn't listed in the far ends SA.

Jeff, not sure what you mean by that :confused:

It's Trustix Firewall 3.0 we're using here. Don't ask why they didn't stick with a mainstream version :rolleyes:

On the VPN GUI, you simply create a VPN gateway. You are asked for a description, the remote (public) IP address, their subnet, your own subnet and finally the shared secret.

I can't see anywhere to stick details of the other two subnets.

I did try to create a couple more connections, but that didn't work.

Stefan

You probable need to repeat the process for all the subnets ie
Firewall 192.168.10.1 will need

VPN SA for 192.168.52.x
VPN SA for 192.168.54.x
VPN SA for 192.168.56.x

Using all the same details except the destination Network. You will also need to remove the static routes that you have added as this will confuse the box.

Firewall 192.168.52.2 will need

VPN SA for 192.168.10.x
& static routes to
192.168.54.x
192.168.56.x

Router 192.168.52.1 needs
a default gateway of 192.168.52.2


Does that make any more sense ????


Jeff

Yes, that makes sense apart from the multiple SA's. There's two parts on the GUI that you can create these.

1) on the main config screen, but this would need 3 seperate VPN tunnels or
2) you create a signle VPN gateway and tunnel, then define the 3 seperate subnets within that.

I'll try both and see how I get on.

It's just routing from the left network that's not working. I can ping the left network from any machine on the right.

Stefan

Stefan

You need 3 seperate VPN tunnels....(probable)

I tried to find some documentation on this software without much success !

Jeff

Stefan

Did you fix this ?

Jeff

No, not yet.

Tried adding the 3 seperate VPN tunnels, but that didn't work. I'm trying to get hold of the techie that gave me some training on it a while back to see what I'm doing wrong.

Thanks for all your help so far Jeff.

Stefan