I've a pair of 2927's; Router A is on a LAN to LAN VPN to Router B, Routers C, D, E, F etc have their own LAN to LAN VPN's inbound to LAN6 on Router B. Connecting to LAN6's GW of Router B locally (or via a remote dial-in VPN I've set up) I can happily see all the GW's of Routers C, D, E, F etc etc as you would expect however what I'm trying to achieve is to replicate the same connectivity to Routers C, D, E, F etc from Router A. I've set up RIP across the LAN to LAN VPN on Router A <> B's LAN to LAN tunnel and in the Routing table of Router A can see the table of Router B and the GW of C, D, E, F however the GW route of these at Router A is that of LAN1 of Router B and not LAN6 so these are unreachable.

Adding subnets of Router A's LAN6 GW in to, say, Router C and vice versa to Router A doesn't change the Routing table to update via RIP so that the relevant GW/Subnet of Router C will go to the subnet/GW of LAN6 in Router B if all that makes sense and wouldn't mind a bit of support making it all work. Adding a Static Router in Router A of the subnet in, say, Router C, doesn't seem to work either and when entering the IP details just clears the field, presumably as the subnets locally don't match to any in Router A's assigned LAN subnets?

Hi neil201 ,

I would maybe just disable the RIP for now and work on manually configuring the routes so you can make sure the routes work, or have you achieved that already?

The 'Remote Dial in' user and local LANs will always be able to see all routes "outwards", as they are being routed by the central router (Router B in your case); unless the 'Remote Dial in' user is set to not "Route all traffic through the remote gateway".

The VPN profiles on Routers C,D,E and F only need to list the distant subnets and be shown in their local router's routing table for the local LANs to know to go to Router B (via that VPN connection) to get to these subnets. If those distant remote subnets are not listed then the traffic will never hop to Router B to seek out the next hop. (Please tell me to piss-off if I am telling you stuff you already know)

Once at Router B they then need to know the next hop, but does Router B know of the distant subnets on Router A,C,D,E and/or F, if not, then you would need to manually add these into the L2L Profiles on Router B of each of those remote subnets so they are reachable from Router B to their respective GWs (including the matching subnet size(s); /24 etc).

Note:
Make sure you have ‘Route’ set (not NAT) in the L2L profile settings.
You shouldn't need to use 'Static Routes' for any of this.
Firewall rules and possibly InterLAN connections will/may have an effect on the throughput of all this traffic being routed across routers, you can Block/Pass at any of the routers that the traffic passes through, but be careful not to put in too many hurdles in if you do; well, you can, it just makes it trickier to open up paths later as you have to remember all the hurdles.


 

Cheers for your reply, apologies for the delay responding as been abroad for a few days. I've just had another play with this and I suspect it might thus be a firewall rule missing in Router B's FW preventing Router A (L2L connected to Router B) from seeing Router C (which is also L2L VPN connected to Router B).

Router C's subnet is 10.150.1.0/24
Router B's LAN subnet this routes to is 10.187.235.0/24
Router A's LAN subnet I want to reach the 10.150.1.0/24 subnet of Router C from is 10.188.235.0/24.

In the Routing table of Router A I'm seeing:
10.150.1.0/ 255.255.255.0 via 212.xxx.xxx.xxx VPN-1

VPN-1 is the L2L VPN back to Router B so surely once a request to any address in the 10.150.1.0 subnet needs to be known in Router B's routing table before it can be passed to Router B's 10.188.235.0 GW address, or am I missing something?

In terms of firewall permissions I presume I need my direction to be VPN > LAN with my source IP being 10.150.1.1 and destination 10.188.235.1, or should that be the other way around?

Hi neil201 ,  (bear with me as I try to get your layout mapped in my head)

If you have previously created a blocking rule between VPN > VPN (on Router B) then yes, you will need to create a “pass” rule for that VPN traffic to flow again, or just disable the blocking rule momentarily, to test the throughput.

Note: On Router B if you create IP Objects for the subnet ranges you want to block/pass of the remote sites, it is much easier to create less rules globally, because you can use one blocking rule for many objects in both directions, but for now, I would just un-block the traffic between VPN > VPN (purely for testing purposes), unless you absolutely can’t/won’t do that, in which case, adding a pass rule is your only option to allow the traffic to flow again.

Your routing tables should tell all, as in, if the entries aren’t listed for the subnets you want to reach, something is a-miss! So that would be my first point of call to check. Then I would be looking at the firewall rules. If the routing entries aren't listed then I would be looking at the L2L VPN Profile's "more Remote Subnet" options.


Ultimately, Router B (Subnet 10.187.235.0/24) should have a listing for EVERY subnet that you would like communication between of the remote sites. Is that the case, does Router B list all of them?

Router A (Subnet 10.188.235.0/24) should have Router C's destination subnet (10.150.1.0/24) listed in its routing table.
Router C (Subnet 10.150.1.0/24) should have Router A's destination subnet (10.188.235.0/24) listed in its routing table.

Obviously none of these remote subnet ranges should ever be the same; as that would cause a whole other issue to solve.

In the Routing table of Router A I'm seeing:
10.150.1.0/ 255.255.255.0 via 212.xxx.xxx.xxx VPN-1

Great! This is what you want to see (quote above).

VPN-1 is the L2L VPN back to Router B so surely once a request to any address in the 10.150.1.0 subnet needs to be known in Router B's routing table before it can be passed to Router B's 10.188.235.0 GW address, or am I missing something?

In the quote here (above) did you actually mean:

VPN-1 is the L2L VPN back to Router B so surely once a request to any address in the 10.150.1.0 subnet is made, it needs to be known in Router B's routing table before it can be passed to Router A's 10.188.235.0 GW address, or am I missing something?

?

If you did, then yes, but only because Router B needs to know about Router A's subnet to pass the traffic from Router C back to Router A. What I think you should've described was:

VPN-1 is the L2L VPN back to Router B so surely once a request to any address in the 10.150.1.0 subnet is made, it needs to be known in Router B's routing table before it can be passed to Router C's 10.150.1.0 GW address?

Regarding the Firewall:

In terms of firewall permissions I presume I need my direction to be VPN > LAN with my source IP being 10.150.1.1 and destination 10.188.235.1, or should that be the other way around?

Yes, if you're applying that on Router A's firewall. If you're applying that on Router B's firewall then it will be VPN > VPN, and use the whole subnet rather than just the GW addresses.

If you remove any block rule(s) already in place and start to see throughput come alive, then re-enable that block rule and concentrate on creating a working "pass" rule. Most of the time I will start the rules off quite broad, then narrow them down to exactly what I want to control.
Using 'Objects' is a massive advantage, as you will find yourself adding additional devices (as IP Objects) into IP Groups rather than creating new additional rules. Once a working rule is in place you will find you want to apply that same rule to more devices (probably at a later date), so you can just throw those additional devices into the same IP Group and they will be granted the same pass-through (or block, respectively). Same applies for 'Service Type Objects' as well. But be aware, too many rules can get you tied up in knots and it's a PITA when that happens, I have done it numerous times and always want to slap myself in the face when I realise my error!