DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2955-2960: Site to Site VPN works only one way
- peter-h
- Topic Author
- Offline
- Junior Member
-
25 Feb 2020 09:54 #1
by peter-h
2955-2960: Site to Site VPN works only one way was created by peter-h
Packets (ping etc) in either direction bring up the VPN ok.
But 2955-2960 there is no connectivity, except I can ping the remote router's IP.
2955 LAN is 192.168.3.*
2960 LAN is 192.168.1.*
I have tried various combinations of .0 and .1 in this area. On the 2960 both must be .0 otherwise the auto packet trigger mode doesn't work to bring the VPN up. I spent days on this...
On the 2955 it doesn't matter; currently I have .0 and .1 as I had 2955-2955 for years. So I don't think that is the problem.
From the 2955 end I can ping 192.168.1.1 but nothing else can be pinged. But pinging say 192.168.1.33 brings up the VPN correctly, regardless of whether .33 is a device.
Can anyone suggest how I could debug this? It was actually working at some point a few days ago.
Setting the firewall default mode to Accept doesn't fix it. But it is possible that a firewall rule is needed.
I had a similar issue with a "teleworker" PPTP VPN where the caller got access to 192.168.1.* ok but got no internet access. It needed a fw rule to pass packets from the PPTP caller's username to the WAN. One can understand this, perhaps, but the 2955 didn't have this issue. However the site-site VPN has no "username".
Many thanks in advance for any tips. I don't know if the ping is failing on the way there or on the way back...
But 2955-2960 there is no connectivity, except I can ping the remote router's IP.
2955 LAN is 192.168.3.*
2960 LAN is 192.168.1.*
I have tried various combinations of .0 and .1 in this area. On the 2960 both must be .0 otherwise the auto packet trigger mode doesn't work to bring the VPN up. I spent days on this...
On the 2955 it doesn't matter; currently I have .0 and .1 as I had 2955-2955 for years. So I don't think that is the problem.
From the 2955 end I can ping 192.168.1.1 but nothing else can be pinged. But pinging say 192.168.1.33 brings up the VPN correctly, regardless of whether .33 is a device.
Can anyone suggest how I could debug this? It was actually working at some point a few days ago.
Setting the firewall default mode to Accept doesn't fix it. But it is possible that a firewall rule is needed.
I had a similar issue with a "teleworker" PPTP VPN where the caller got access to 192.168.1.* ok but got no internet access. It needed a fw rule to pass packets from the PPTP caller's username to the WAN. One can understand this, perhaps, but the 2955 didn't have this issue. However the site-site VPN has no "username".
Many thanks in advance for any tips. I don't know if the ping is failing on the way there or on the way back...
Please Log in or Create an account to join the conversation.
- peter-h
- Topic Author
- Offline
- Junior Member
-
27 Feb 2020 11:57 #2
by peter-h
Replied by peter-h on topic Re: 2955-2960: Site to Site VPN works only one way
An update in case somebody wonders in here 100 years from now 
It was solved.
The 2960 presents site to site VPN callers with the IP of their local LAN, whereas the 2955 presents them with some local-to-2955-LAN IP.
Adding a firewall rule to the 2960-end PC to let in the caller's IP (the IP of his actual PC, or perhaps the range of his whole LAN) makes it work.
This is required on win7 onwards. On winXP the firewall rule is not needed for some reason.
It was solved.
The 2960 presents site to site VPN callers with the IP of their local LAN, whereas the 2955 presents them with some local-to-2955-LAN IP.
Adding a firewall rule to the 2960-end PC to let in the caller's IP (the IP of his actual PC, or perhaps the range of his whole LAN) makes it work.
This is required on win7 onwards. On winXP the firewall rule is not needed for some reason.
Please Log in or Create an account to join the conversation.
- peter-h
- Topic Author
- Offline
- Junior Member
-