DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Creating VPN using multiple Draytek Routers

  • robert g.
  • Topic Author
  • User
  • User
More
07 Jun 2019 13:53 #1 by robert g.
Creating VPN using multiple Draytek Routers was created by robert g.
Hi Guys

I was wondering if anybody ever attempted something similar...

We have two branches connected via VPN using Draytek Router.

One of the branches have second Draytek Router on LAN, we use it to separate specific Server from the rest of Data network, and allow users to access Server's data, while not allowing Server to access rest of the Data network.

So topology is:
Server connecting to WAN of Draytek Router.
LAN of Draytek Router connecting to Data network.
Data network connecting to LAN of another Draytek Router
That Draytek Router connecting via VPN to another branch.

We have a problem where users of different branch can ping the Router used to separate the Server, but cannot access any resources on the Server. While users of the main branch can still access it.

I was wondering if there is a possibility of accessing the Server from other branches by creating VPN to the separating Router, using existing VPN configured between branches.

I appreciate it must be terrible explanation of the Setup, attached a diagram showing how the networks are connected. In short we can access the Resources from the office with the Server in the bottom left, but it fails when trying to do the same from one of the other branches with additional Router in between.
https://imgur.com/gutz91d

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
07 Jun 2019 17:21 #2 by hornbyp
Replied by hornbyp on topic Re: Creating VPN using multiple Draytek Routers

Robert G. wrote:
We have a problem where users of different branch can ping the Router used to separate the Server, but cannot access any resources on the Server...In short we can access the Resources from the office with the Server in the bottom left, but it fails when trying to do the same from one of the other branches with additional Router in between.



Can they Ping the server?...does Traceroute show your Routing to be as you expect it?
Or maybe it's related to the protocols used to access this server...perhaps they're broadcast-based and don't travel over the VPN?

I was wondering if there is a possibility of accessing the Server from other branches by creating VPN to the separating Router, using existing VPN configured between branches.



Aside from the difficulty of getting VPN protocols to work over a VPN, the 'separating router' will only respond to VPN connections on its WAN port (or at least, that's what I discovered, when playing with something similar)

Please Log in or Create an account to join the conversation.

  • robert g.
  • Topic Author
  • User
  • User
More
10 Jun 2019 10:52 #3 by robert g.
Replied by robert g. on topic Re: Creating VPN using multiple Draytek Routers

hornbyp wrote:

Robert G. wrote:
We have a problem where users of different branch can ping the Router used to separate the Server, but cannot access any resources on the Server...In short we can access the Resources from the office with the Server in the bottom left, but it fails when trying to do the same from one of the other branches with additional Router in between.



Can they Ping the server?...does Traceroute show your Routing to be as you expect it?
Or maybe it's related to the protocols used to access this server...perhaps they're broadcast-based and don't travel over the VPN?

I was wondering if there is a possibility of accessing the Server from other branches by creating VPN to the separating Router, using existing VPN configured between branches.



Aside from the difficulty of getting VPN protocols to work over a VPN, the 'separating router' will only respond to VPN connections on its WAN port (or at least, that's what I discovered, when playing with something similar)



Thanks for your response. We are in fact unable to Ping the Server. Traceroute shows connection goes as planned, but it cannot ping Server's IP Address, can ping Separating Router as the last available hop.

We have a Static Router created allowing devices on the network to access the Server, but when I'm setting up similiar Static Route for other branches it does not help.

It does sound like only way to make it work would require Separation WAN to be connected to the data network.

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
11 Jun 2019 03:04 #4 by hornbyp
Replied by hornbyp on topic Re: Creating VPN using multiple Draytek Routers

Robert G. wrote: We are in fact unable to Ping the Server. Traceroute shows connection goes as planned, but it cannot ping Server's IP Address, can ping Separating Router as the last available hop.

We have a Static Router created allowing devices on the network to access the Server, but when I'm setting up similiar Static Route for other branches it does not help.

It does sound like only way to make it work would require Separation WAN to be connected to the data network.


The fact that Routing isn't working, is surely the root of your problem :)

The VPN "Lan-to-Lan Profiles" on the remote Drayteks, need 192.168.50.253/32 adding via the "More" dialogue. You could possibly use the "Route Policy" mechanism instead, but I think it's less appropriate in this situation. The other alternative (a Static Route), may not actually be possible with something that's 'dynamic', i.e. a VPN.

In any case, don't forget, the Routing on the remote nodes, will be "192.168.50.253/32 => 192.168.21.254" and not "192.168.50.253/32 =>192.168.21.240". The "More" option is the simplest, because you're just saying "192.168.50.253/32 is at the other end of this tunnel...whatever that happens to be".

Updated

You may also need to add Static Routes to the 'Separating Router", so that it knows 192.168.23.0 and 192.168.22.0 are to be found via 192.168.21.254 (otherwise the Return Path doesn't exist)

Please Log in or Create an account to join the conversation.