Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 368
  • Last Modified:

Linksys RV042 x 3 sites + Routing issues

Diagram:
                                                          216.191.xxx.xxx
                                                                   |
                                                                   |
                                                             10.10.0.0
                                                       CORPORATE SITE
                                                                   |
                                                                   |
                                            VPN ------- 10.10.0.50-------VPN
                                              |                                       |
                                              |                                       |
                                        12.146.xxx.xxx                     69.159.xxx.xxx
                                        Remote Site A                      Remote Site B
                                         10.90.0.0                             10.100.0.0

Situation: VPN tunnels are established and Corporate can talk to both Remote sites.  But, Remote Sites cannot talk to eachother.  

Any Ideas?  
If I do a tracert from Remote Site A to B, the first hop is the router(10.90.0.1), then it goes to the external address (12.146.xxx.xxx) instead of the LAN address 10.10.0.50 on the other side of the VPN tunnel.  
0
mt360
Asked:
mt360
1 Solution
 
lrmooreCommented:
You will have to create separate tunnels from Site A to B
0
 
mt360Author Commented:
Can I not use static routing with these devices?  
0
 
lrmooreCommented:
No. The Linksys at Corp cannot route between the VPN tunnels.
If you want A to talk to B, simply add another direct tunnel between them
   
           Corp
           |     |
          A --- B
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
pkarlsonCommented:
I agree but he'd probably have to swap out the equipment at A&B if they couldn't establish the tunnel between the sites.

Couldn't he also add four static routes
1. To Corp that routes traffic from Remote Site A to Remote Site B
    Destination IP Address: 10.100.0.0
    Gateway: 69.159.XXX.XXX
2. To Corp that routes traffic from B to A
    Destination IP Address: 10.90.0.0
    Gateway: 12.146.XXX.XXX

3. To Remote Site A that routes all traffic destined for B through Corp
    Destination IP Address: 10.100.0.0
    Gateway: 216.191.xxx.xxx or maybe the internal VPN address 10.10.0.50


4. To Remote Site B that routes all traffic destined for A through Corp
    Destination IP Address: 10.90.0.0
    Gateway: 216.191.xxx.xxx or maybe the internal VPN address 10.10.0.50


 
0
 
lrmooreCommented:
No can do.
The VPN tunnels are established with traffic match rules, not routing entries. Traffic that matches rule 1, for example, a VPN tunnel is defined with "local secure goup" destined for "remote secure group" goes to remote secure Gateway. The tunnel is maintained with traffic source IP <local> destination <remote>, gateway 12.34.56.7

Define tunnel 1 to Site A
 Local secure group 192.168.100.0/24
   Remote secure group 192.168.200.0/24
     Gateway 12.34.56.7

Define tunnel 2 to Site B
  Local secure group 192.168.100.0/24
   Remote secure group 192.168.30.0/24
     Gateway 63.22.55.77

Now, what I cannot do is define another tunnel to site A or B, using the remote secure group now as the local secure group:
  No can do:
    Define tunnel 3 to site B, for Site A traffic
     Local secure group 192.168.200.0/24 <= ? tunnel 1 already defines this as a "remote group"
                                                                   I can't make it both a remote and a local group
       Remote secure group 192.168.30.0/24

While at the same time, on Site A, I would have to define Site B's subnet as my remote secure group, pointing it to Corp, Corp then turns around and re-directs through tunnel 3
It just can't happen that way.
Again, it's not a routing issue, it's the way IPSEC tunnels get created..the traffic must originate on the Local LAN.
0
 
mac_3ceCommented:
I have talked to Linksys and they also confired the fact that the only way to have all sites see eachother is with seperate vpns connect each one to the other.
0
 
lrmooreCommented:
Do you need any more assistance or information?
Can you close out this long-forgotten question?
Here's how:
http://www.experts-exchange.com/help.jsp#hs5

Thanks!
<8-}
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now