|
Posted by Mark Alexander Bertenshaw on June 1, 2005, 7:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi -
I've recently been having fun creating a VPN for my company's VoIP.
A schematic is below [read in fixed text].
0123456789001234567890012345678900123456789001234567890012345678900123456789
001234567890
192.168.2.0/24 / 192.168.0.0/24 \ 10.0.0.0/24
PC / \
PCs
192.168.2.11 / \ 10.0.0.2
^
\ / \
|
+-> Draytek <---------> Netscreen <---+--> Windows
<-------------+-----> PCs
/ Vigor 2600+ / 5GT | Server 2000
|
/ / | \
v
| 192.168.2.1 / 192.168.0.1 | 192.168.0.2\
| / | \
10.0.0.3
v / | \
192.168.2.10 v
Voicemail
PC
Server
192.168.0.3
IP Office 206
Windows Server 2000 is acting as a router.
The VPN tunnel between 192.168.2.0/24 and 192.168.0.0/24 seems to work fine,
although I am slightly worried that the tunnel only appears to be initiated
from the 192.168.2.0/24 subnet. I can successfully ping .0.0/24 from
..2.0/24, and vice versa.
I have two problems. First of all, I am unable to ping any address on the
10.0.0.0/24 subnet from 192.168.2.0/24 subnet, despite having created a
static route in the Vigor 2600+ (10.0.0.0/24 -> gateway: 192.168.0.2).
-------------------------------------
Trace route display from 192.168.2.10:
-------------------------------------
C:\>tracert 10.0.0.3
Tracing route to backup.leax.local [10.0.0.3]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms my.router [192.168.2.1]
2 * * * Request timed out.
3 * * * Request timed out.
4 ^C
-------------------------------------
To my untrained eyes, it looks as if my static route is being ignored, and
the packets are going onto the WAN, rather than down the VPN tunnel.
Secondly, I am unable to ping any address on the 192.168.2.0/24 subnet from
10.0.0.0/24, other than the Draytek router.
-------------------------------------
Trace router display from 10.0.0.32:
-------------------------------------
C:\>tracert 192.168.2.10
Tracing route to riza [192.168.2.10]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms leaxserver1.leax.local [10.0.0.2]
2 <10 ms <10 ms <10 ms 192.168.0.1
3 36 ms 34 ms 37 ms 192.168.2.1
4 * * * Request timed out.
5 ^C
Again, it looks as if it gets to the Draytek box, and then goes out onto the
WAN!
Can anybody suggest something that I could try to get this sorted?
Thanks,
--
Mark Bertenshaw
Network Manager
LEAX Controls Ltd.
|
|
Posted by Mark Alexander Bertenshaw on June 2, 2005, 1:02 am
If you were Registered and logged in, you could reply and use other advanced thread options
Sorry about the diagram - I thought it newlined at 78 chars!
Anyhow, it turned out to be an issue with the Draytek Vigor 2600+. When I
added my static route, I had only one item in the dropdown for Network
Interface (LAN) - and I didn't notice this. Of course, if I want
10.0.0.0/24 to go down the VPN tunnel, this is the wrong interface. So how
do I get to see further interfaces in this dropdown? Well, it seems that
you can't. Instead you have to go to the setup for the outgoing VPN tunnel,
and scroll right to the bottom to Section 4 (TCP/IP Network Settings).
Below "Remote Network IP" and "Remote Network Subnet", there is a button
saying "More". Pressing this takes you to a dialogue where you can
associate as many Address/Subnet values as you like with this tunnel. But
this is the sneaky thing: these values only take effect when you reboot the
the Vigor 2600+ !! Now, if you go to the Static Routing table, you will see
the addresses have been added as static routes, with IF = 4+. After
reinstating the routing on the Netscreen 5XP (10.0.0.0/24 -> Trust), you
can ping 10.0.0.0/24; and interestingly, this also fixes the 10.0.0.0/24 ->
192.168.2.0/24 pinging problem. Fantastic!
--
Mark Bertenshaw
Kingston upon Thames
UK
|
| Similar Threads | Posted | | VPN Internet routing problem | January 10, 2006, 4:23 am |
| openvpn Routing Problem | October 31, 2006, 7:58 am |
| Routing problem causing problems with VPN? | May 4, 2005, 10:22 pm |
| Vigor 2900 VPN and IPfilter | October 10, 2005, 11:38 pm |
| Vigor/draytec Routers ? | December 21, 2005, 1:50 pm |
| VPN Connection between Netgear FVS318 and Draytek Vigor 2900 | October 25, 2005, 9:29 am |
| 2600 series router using SDM | July 19, 2008, 6:14 am |
| VPN: Netgear WGT624 <-> Draytek 2500/2600? | November 16, 2005, 1:52 pm |
| NEED HELP: Simple VPN from XP to Netscreen 5GT | May 27, 2005, 8:41 am |
| Netscreen-5 for sale | April 21, 2006, 1:18 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map