Hi All,
A quick question about setting up VPN's with the Vigor 2820.

I have a Cisco at head office with a main subnet behind it and a DMZ subnet for an application server.

I would like to connect both the 2820 to the Cisco and be able to route both subnets down the VPN tunnel.

Now I have done this with another Cisco but I would prefer the Vigor to do the job, anyone any ideas how to add this into the routing table?

Cheers
Chris

The Vigor2820 has one subnet for NAT usage.

The 2nd subnet is for non-nat usage, but isn't much use if you don't have a range of IP Addresses from the ISP to use.

If the 2nd subnet is used for just another network range, it means that the Vigor2820 will try and send it out to the Internet without performing NAT, so the ISP will just drop the traffic as it's for a range if doesn't recognise.

However, with the 3.3.3 firmware I've noticed a command that allows the 2nd IP to use the VPN. The syntax is

Code:

vpn pass2nd [on/off]

> vpn pass2nd on
% 2nd subnet is allowed to pass VPN tunnel!

So perhaps if you enable the command you'll find the 2nd subnet can use the VPN tunnel, it might not be suitable for your purposes (as I don't know what the DMZ subnet is also used for - 2nd IP wouldn't have any internet access) but I thought I'd mention it.

Thanks for your reply.

I have noticed this command, running this doesn't seem to do much and seems to be to do with passing a second external address.

I will try again and see just incase thought! Anyone any more ideas?

Thanks Again
Rutter

I don't have a 2820, but under the LAN-LAN Profile Setup > TCP/IP Network Settings, is there a More button? If there is, try that. I have a feeling it may only work between Draytek's but it is worth giving it a go.

Ahh, I think I may have completely misread your question.

Do you want

LANA<->Vigor2820 <---> Internet <---> Cisco<->LANB<--->LANC

VPN Between LAN A and LAN B/C ?

If so, then yes that's fine you can do that.

Like NJH suggested, use the more button.

Create the LAN to LAN for LANA <==> LANB as normal and then in the more button enter the subnet for LANC.

This tells the Vigor2820 that it can reach LANC via the VPN between LANA<==>LANB

The more button doesn't negotiate a new tunnel for LANA to LANC, it simplly tells the Vigor2820 that it can send traffic for LANC down the VPN. So providing, security association wise, the Cisco is happy it will work.

I think the network diagram for the Draytek VPN model should read:

Code:

LANA<->Vigor2820 <---> Internet <---> Cisco<--->LANB <--->LANC