DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Accessing internal networks trough IPSec site-to-site VPN

networka
Topic Author
Offline
New Member

07 Mar 2020 08:08 #1 by networka

Accessing internal networks trough IPSec site-to-site VPN was created by networka

Hello all,
I have a site-to-site VPN (IPSec) between a Draytek and another firewall, but the problem is that Draytek is not routing my second internal network which is tagged. The problem is not the tagging because if I change the subnet in the VPN and Remote Access > LAN to LAN > 5. TCP/IP Network Settings section with my tagged internal network, traffic flows fine.
I have also tried by checking the box IPsec VPN with the Same Subnets then using the Advanced button, I have provided the remote and local network. Still does not work.
Bear in mind that my internal networks that sit behind the Draytek router are connected on different ports in the router, LAN1 and LAN2.

https://ibb.co/mNZXjTf

My question is: How can I make both of my Draytek internal networks available trough my IPSec tunnel?

Thanks in advance.

Please Log in or Create an account to join the conversation.

hornbyp
User

07 Mar 2020 11:59 #2 by hornbyp

Replied by hornbyp on topic Re: Accessing internal networks trough IPSec site-to-site VPN

NetworkA wrote:
My question is: How can I make both of my Draytek internal networks available through my IPSec tunnel?

You'll probably need to tell that "other firewall", that there is an additional network at the other end of the tunnel. (Give it some routing information, in other words)

Please Log in or Create an account to join the conversation.

leewilding
Offline
Junior Member

07 Mar 2020 12:24 #3 by leewilding

Replied by leewilding on topic Re: Accessing internal networks trough IPSec site-to-site VPN

Do you have both subnets in the crypto at both ends of the VPN?

Please Log in or Create an account to join the conversation.

networka
Topic Author
Offline
New Member

07 Mar 2020 16:21 #4 by networka

Replied by networka on topic Re: Accessing internal networks trough IPSec site-to-site VPN

Yes, both subnets are defined in the third party firewall.
I can tell everything is working because if I change the Local IP Network with the one that is tagged, traffic flows just fine.

Searching on the internet, looks like Draytek can't send both networks on the same tunnel, but even if I check the box Create Phase2 SA for each subnet.(IPsec) and provide the remote and local network, it is still not working.

Please Log in or Create an account to join the conversation.

hornbyp
User

07 Mar 2020 16:38 #5 by hornbyp

Replied by hornbyp on topic Re: Accessing internal networks trough IPSec site-to-site VPN

NetworkA wrote:
Searching on the internet, looks like Draytek can't send both networks on the same tunnel..

I have a 2830n <--> 2860n VPN with multiple networks at each end. Each can talk to another ('cept where specifically blocked by Firewall Rules). In the case of the 2830/2860 interface, it was a just a matter of defining the additional networks in the "More" entry for the site-to-site VPN. Your router seems to have a slightly different interface, but in any case, your problem seems to be in convincing a 3rd party router at the far end to play ball. I think you might need help from the support forum for said 3rd party router :cry:

Does "Traceroute" shed any light on the issue?

Please Log in or Create an account to join the conversation.

leewilding
Offline
Junior Member

07 Mar 2020 19:44 #6 by leewilding

Replied by leewilding on topic Re: Accessing internal networks trough IPSec site-to-site VPN

I have had to create four individual VPNs to a Sophos XG from a 2862 as I could not get traffic across all four subs nets at once. Odd.

Please Log in or Create an account to join the conversation.