Routing problem over VPN from Vigor 2600+ to Netscreen 5GT

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Hi -

I've recently been having fun creating a VPN for my company's VoIP.

A schematic is below [read in fixed text].


0123456789001234567890012345678900123456789001234567890012345678900123456789
001234567890

192.168.2.0/24 / 192.168.0.0/24 \ 10.0.0.0/24
PC / \
PCs
192.168.2.11 / \ 10.0.0.2
^
\ / \
|
+-> Draytek <---------> Netscreen <---+--> Windows
<-------------+-----> PCs
/ Vigor 2600+ / 5GT | Server 2000
|
/ / | \
v
| 192.168.2.1 / 192.168.0.1 | 192.168.0.2\
| / | \
10.0.0.3
v / | \
192.168.2.10 v
Voicemail
PC
Server
192.168.0.3
IP Office 206

Windows Server 2000 is acting as a router.

The VPN tunnel between 192.168.2.0/24 and 192.168.0.0/24 seems to work fine,
although I am slightly worried that the tunnel only appears to be initiated
from the 192.168.2.0/24 subnet. I can successfully ping .0.0/24 from
..2.0/24, and vice versa.

I have two problems. First of all, I am unable to ping any address on the
10.0.0.0/24 subnet from 192.168.2.0/24 subnet, despite having created a
static route in the Vigor 2600+ (10.0.0.0/24 -> gateway: 192.168.0.2).

-------------------------------------
Trace route display from 192.168.2.10:
-------------------------------------

C:\>tracert 10.0.0.3

Tracing route to backup.leax.local [10.0.0.3]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms my.router [192.168.2.1]
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C

-------------------------------------

To my untrained eyes, it looks as if my static route is being ignored, and
the packets are going onto the WAN, rather than down the VPN tunnel.

Secondly, I am unable to ping any address on the 192.168.2.0/24 subnet from
10.0.0.0/24, other than the Draytek router.

-------------------------------------
Trace router display from 10.0.0.32:
-------------------------------------

C:\>tracert 192.168.2.10

Tracing route to riza [192.168.2.10]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms leaxserver1.leax.local [10.0.0.2]
2 <10 ms <10 ms <10 ms 192.168.0.1
3 36 ms 34 ms 37 ms 192.168.2.1
4 * * * Request timed out.
5 ^C

Again, it looks as if it gets to the Draytek box, and then goes out onto the
WAN!


Can anybody suggest something that I could try to get this sorted?

Thanks,
--
Mark Bertenshaw
Network Manager
LEAX Controls Ltd.

 

[Guest]

Archived from groups: comp.dcom.vpn (More info?)

Sorry about the diagram - I thought it newlined at 78 chars!

Anyhow, it turned out to be an issue with the Draytek Vigor 2600+. When I
added my static route, I had only one item in the dropdown for Network
Interface (LAN) - and I didn't notice this. Of course, if I want
10.0.0.0/24 to go down the VPN tunnel, this is the wrong interface. So how
do I get to see further interfaces in this dropdown? Well, it seems that
you can't. Instead you have to go to the setup for the outgoing VPN tunnel,
and scroll right to the bottom to Section 4 (TCP/IP Network Settings).
Below "Remote Network IP" and "Remote Network Subnet", there is a button
saying "More". Pressing this takes you to a dialogue where you can
associate as many Address/Subnet values as you like with this tunnel. But
this is the sneaky thing: these values only take effect when you reboot the
the Vigor 2600+ !! Now, if you go to the Static Routing table, you will see
the addresses have been added as static routes, with IF = 4+. After
reinstating the routing on the Netscreen 5XP (10.0.0.0/24 -> Trust), you
can ping 10.0.0.0/24; and interestingly, this also fixes the 10.0.0.0/24 ->
192.168.2.0/24 pinging problem. Fantastic!

--
Mark Bertenshaw
Kingston upon Thames
UK