DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Routing across LAN-LAN VPN - help please

  • ncollingridge
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
15 Feb 2018 15:50 #90739 by ncollingridge
Routing across LAN-LAN VPN - help please was created by ncollingridge
I am struggling to get this going because there is some basic information I cannot find anywhere - maybe I am not looking in the right place, but whatever I cannot find anything that tells me what I need to know. I know this is essentially some routing 101 stuff, but it does somewhat depend on how the forwarding specifically functions on Draytek routers. And I am sure there are others who may benefit from this if some kind person can explain where I am going wrong (or not going!).

Basic set up is two Draytek routers. The local subnet for one is 10.0.0.0 and the other is 10.0.3.0. I have successfully established a VPN between them (using PPTP for now to get it going as easily as possible).

For the TCP/IP Network settings on the router in 10.0.0.0 I have this set up as follows:

My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 10.0.3.0
Remote Network Mask: 255.255.255.0
Local Network IP: 10.0.0.1
Local Network Mask: 255.255.255.0

This is in line with what I have found in the knowledgebase articles, although none of them that I have looked at show the Local network IP and mask fields.

The first two fields are 0.0.0.0 as with this the settings are apparently assigned to the tunnel by the remote router.

The Remote Network fields are used to tell the router the subnet of the remote network for routing purposes, and the manual says that this will add a static route, presumably for any attempt to connect to an IP address within the remote subnet from local clients.

The Local Network fields are explained in the manual as "Display the local network IP and mask for TCP/IP configuration. You can modify the settings if required." I don't find this very explanatory at all. I had assumed that maybe this is to give you the opportunity to map the remote IP addresses to a different range of local addresses, but the manual shows the field with the local IP address and mask of the local router in it, so I assume this is correct, and this is what I have entered.

I have not added any static routes in the More section because I only have one remote subnet.

Now for setting up local clients to access the remote subnet. Firstly I am simply trying to connect from a PC to an HTTP host in the remote subnet, which let's say is at 10.0.3.11. I have my PC setup with an IP address in the local subnet (10.0.0.x) and a mask of 255.255.255.0.

My assumption here is that because the remote IP address is not in the local subnet (since the PC's mask is set so that the local subnet is restricted to the one 10.0.0.x range) the PC will forward the packets to the router/gateway, which will know to forward the packets to the remote router/gateway from where they will be broadcast on the remote network. However no connection gets through.

Where am I going wrong? Everything I can see suggests that the routing is taken care of by the router from what you complete in the VPN setup fields, but it doesn't seem to be that simple.

Please Log in or Create an account to join the conversation.

More
15 Feb 2018 16:42 #90742 by hornbyp
Replied by hornbyp on topic Re: Routing across LAN-LAN VPN - help please

ncollingridge wrote: My assumption here is that because the remote IP address is not in the local subnet (since the PC's mask is set so that the local subnet is restricted to the one 10.0.0.x range) the PC will forward the packets to the router/gateway, which will know to forward the packets to the remote router/gateway from where they will be broadcast on the remote network. However no connection gets through.



Sounds right :)

I read the same guides as you, but in my experience you have to fill in the "Remote Gateway IP" address as well (with the address of the router for that subnet) - at both ends. [So I'm guessing Remote Gateway=10.0.3.1 for the 10.0.3.0 network and Remote Gateway=10.0.0.1 for the 10.0.0.0 network]

The tool to use to see what's going on is "Tracert" ... or Traceroute on those nasty unix boxes :wink:

Code:
(I'm on the 192.168.100.0 network) C:\Users\phil>tracert 192.168.200.6 Tracing route to cottage.home.somedomain.co.uk [192.168.200.6] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms valhalla.home.somedomain.co.uk [192.168.100.254] <--local router for 192.168.100.0 2 32 ms 31 ms 31 ms folkvangr.home.somedomain.co.uk [192.168.200.254] <--remote router for 192.168.200.0 3 32 ms 32 ms 33 ms cottage.home.somedomain.co.uk [192.168.200.6] <--target address >

Please Log in or Create an account to join the conversation.

  • ncollingridge
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
15 Feb 2018 18:55 #90746 by ncollingridge
Replied by ncollingridge on topic Re: Routing across LAN-LAN VPN - help please
Thanks for the suggestion, but unfortunately that doesn't make any difference.

I should have added a traceroute into my last post. Here is what I get:

Code:
traceroute to 10.0.3.11 (10.0.3.11), 64 hops max, 52 byte packets 1 vigor.router (10.0.0.1) 0.631 ms 0.321 ms 0.310 ms 2 10.0.3.1 (10.0.3.1) 17.900 ms 18.792 ms 18.254 ms 3 * * * 4 * * * 5 * * *


Basically it is getting to the remote router, but not any further. Do I need to set up a static route or something similar to allow the traffic through the router? I had assumed that this would all be set up just from creating the tunnel, as it all obviously needs to be set up for traffic to flow through the tunnel and then get to where it needs to, but reading the manual again all it explicitly says is that a route is created on the local (originating) router to send the traffic through the tunnel.

It doesn't tell you what to do to ensure the traffic is routed onward from the remote router, or whether you need to do anything for this or not. At least not that I can find.

Please Log in or Create an account to join the conversation.

More
15 Feb 2018 20:12 #90748 by hornbyp
Replied by hornbyp on topic Re: Routing across LAN-LAN VPN - help please

ncollingridge wrote: Do I need to set up a static route or something similar to allow the traffic through the router?


I definitely didn't, (other than to a secondary subnet at the far end). The Router also learned a route via RIP, which should probably be Static. I don't think the Route configuration tools will let you add a route to a VPN - you have to use the "MORE" entries, or the "Route Policy entries".

Here's the (somewhat pruned) Routing Table from my 192.168.100.0 Router. I've taken out the WAN and other irrelevances. This is from the Telnet client, but the GUI gives the same info.

Code:
Valhalla> ip route status Codes: C - connected, S - static, R - RIP, * - default, ~ - private, B - BGP S~ 192.168.1.0/ 255.255.255.0 via 192.168.200.254, VPN-1 <--This is a "MORE" entry, so 192.168.1.1 goes over VPN, rather than to ISP R~ 192.168.2.0/ 255.255.255.0 via 192.168.200.254, VPN-1 (2/120000) <--Learned by RIP from remote router (*this* probably should be a "MORE" as well). C~ 192.168.200.254/ 255.255.255.255 is directly connected, VPN-1


Just a thought - I assume you have "From first subnet to remote network, you have to do" [Route] set? (On the VPN entry).

He also wrote: It doesn't tell you what to do to ensure the traffic is routed onward from the remote router, or whether you need to do anything for this or not. At least not that I can find.


The far end follows its own rules.

I wonder if the "Route Policy Diagnosis" tool will give any insights? :-

https://www.dropbox.com/s/w5cmiuzvoc9555x/RP1.jpg

(Can't get Postimage.org to play nicely tonight, and dropbox won't let me embed it - you'll have to click the link) :-;

UPDATE
Code:
traceroute to 10.0.3.11 (10.0.3.11), 64 hops max, 52 byte packets 1 vigor.router (10.0.0.1) 0.631 ms 0.321 ms 0.310 ms 2 10.0.3.1 (10.0.3.1) 17.900 ms 18.792 ms 18.254 ms


Does the target of that Traceroute 10.0.3.11 have a default route of 10.0.3.1 set? ... for the packets to come back the other way...

Please Log in or Create an account to join the conversation.

  • ncollingridge
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
15 Feb 2018 22:30 #90751 by ncollingridge
Replied by ncollingridge on topic Re: Routing across LAN-LAN VPN - help please
Here's my routing table for comparison:

Code:
C~ 10.0.0.0/ 255.255.255.0 directly connected LAN1 S~ 10.0.3.0/ 255.255.255.0 via 10.0.3.1 VPN-1 C~ 10.0.3.1/ 255.255.255.255 directly connected VPN-1


It looks pretty much the same to me, assuming your 192.168.1.0 and 192.168.2.0 networks are additional subnets at the far end, which they pretty clearly are. I also assume you pruned the local network entry.

Answers to your questions:

1. "From first subnet..." - yes, this is set to Route.

2. 10.0.3.11 - assuming your question is about the gateway setting in that device's TCP/IP settings, yes it is set to 10.0.3.1.

3. There's no Route Policy Diagnosis tool within the GUI of either of the models I have, which are a 2860 and a BX2000.

Please Log in or Create an account to join the conversation.

  • ncollingridge
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
15 Feb 2018 22:51 #90752 by ncollingridge
Replied by ncollingridge on topic Re: Routing across LAN-LAN VPN - help please
Your question regarding the gateway setting for the server on the remote network, and the obvious need for there to be a return path, did get me searching and there is one thing I have found that seems a bit odd. Here is the relevant part of the routing table from the remote router:

Code:
C~ 10.0.3.0/ 255.255.255.0 directly connected LAN1 S~ 10.0.1.0/ 255.255.255.0 via 10.0.3.102 VPN-1 C~ 10.0.3.102/ 255.255.255.255 directly connected VPN-1


The return path seems to be coming back via an IP address which is within the DHCP pool, rather than via the router itself. This is despite the Local Network IP field in LAN-LAN TCP/IP Network Settings being most definitely set to 10.0.3.1. When I look at the DHCP Table this is what it says:

Code:
LAN1 : 10.0.3.1/255.255.255.0, DHCP server: On Index     IP Address          MAC Address         Leased Time    HOST ID     3         10.0.3.102          Interface: 10       REMOTE VPN IP  VPN-1       


Is this normal? It seems rather odd to me that all packets coming from the remote end should be sent over the VPN via what I imagine is a virtual IP Address.

If I check in LAN->Bind IP to MAC, I can see that 10.0.3.102 is shown with the MAC address of the router's active LAN connection next to it.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami