?
Solved

How to configure static routes to other end of VPN tunnel

Posted on 2007-08-07
9
Medium Priority
?
1,652 Views
Last Modified: 2013-11-05
We have 4 locations that are linked with Linksys RV042 routers using VPN tunnels between locations.  These work OK but we are having trouble routing to certain subnets.  The layout is:
Branch 1:  Cisco router (10.61.124.1) to data services provider (10.46.0.0 and 10.46.240.0 traffic), Linksys RV042 router(10.61.124.2) to ISP for Branch 1 internet access, and VPNs to Branches 2,3,4. Static routes Branch 1: 1.Cisco router to turn away all traffic NOT 10.46.0.0 255.255.252.0 and 10.46.240.0 255.255.255.128 and 2. RV042 to route traffic 10.46.0.0 and 10.46.240.0 to the Cisco router.
 
Branch 2: RV042 to ISP for internet access for Branch2, VPN  to Branch 1and Branch 3
Branch 3: RV042 to ISP for internet access for Branch 3, VPN to Branch 1 and Branch 2
Branch 4: RV042 to ISP for internet access for Branch4, VPN to Branch 1. Router IP addr 10.58.91.242

Here is our problem.  We need Branch 4 to route 10.46.0.0 and 10.46.240.0 traffic back to the Cisco router in Branch 1.
We tried adding a Static Route (destination: 10.46.240.0, netmask: 255.255.255.128 gateway: 10.61.124.1)   to the Branch 4 routing table, but it doesn't work.  A similar static route was attempted to be added to the Windows 2000 workstation at Branch 4 and this produced an error mesage: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
How can we get 10.46.0.0 and 10.46.240.0 traffic from Branch 4 to Branch 1 Cisco router and not screw up the VPNs or internet acces for Branch 4?
Thanks in advance.
0
Comment
Question by:KiloMileage
  • 5
  • 3
9 Comments
 

Expert Comment

by:NLCIT
ID: 19646109
quick question -- you said you tried to add a static route in a 10.0.0.0 address range using a 255.255.255.128 subnet mask?  I think your subnet is wrong.  have you tried a 255.0.0.0 mask?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 19646141
In the VPN settings of your Linksys routers, you had to specify what traffic was going to be routed across the VPN tunnel. You need to edit your VPN settings and add that network, you can't route across a VPN tunnel, it's all based on "interesting traffic".
0
 

Author Comment

by:KiloMileage
ID: 19646311
Actually the route is to 10.46.0.0 and we checked again with data service provider and the subnet should be 255.255.252.0
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:KiloMileage
ID: 19646394
to mikecr:
I can't add that network to the VPN already setup, the rv042 won't do that.  I can create another VPN but what would it look like?  
0
 
LVL 17

Expert Comment

by:mikecr
ID: 19647161
If you're remote side is all in the 10. range, then just edit he current VPN and add 10.0.0.0 255.0.0.0 which will send any 10.0 traffic to your Branch1 router. If you can't, you will need to create a secondary VPN  tunnel for that subnet back to the Branch1 router.
0
 

Author Comment

by:KiloMileage
ID: 19650304
Thanks mikecr. Unfortunately all of our subnets are in 10. range and the router(s) won't allow subnet range conflicts between VPNs. Editing the current VPN as suggested creates an overlap with the other existing VPNs and the new tunnel  won't save and gives error message. "The settings of the Local Group conflict with the settings of the Remote Security Group."

 I tried creating a new tunnel but the branch1 router errorred with conflict to exisiting tunnel as above.
Perhaps I am not creating the secondary tunnel or editing the existing VPN correctly?
I can't create a tunnel 10.0.0.0 255.0.0.0 to 10.58.91.240 255.255.255.248 because the ends overlap?
0
 
LVL 17

Expert Comment

by:mikecr
ID: 19652865
I'll have to think about this one for a little bit. The error that your getting is probably because you already have that tunnel endpoint already set up and it won't let you create another one to it.
0
 

Author Comment

by:KiloMileage
ID: 19656169
If I got another (new) VPN router, changed the ip of the present branch1 router to 1 higher ip address (x.x.x.3 instead of x.x.x2), modify the present VPNs to reflect router ip change, modify the present vpn tunnel from branch1 to branch4 to x.x.x.3 - x.x.x.63 (exclude x.x.x.1 -x.x.x.2)  ip addresses, give the new router x.x.x.2 ip address, create a vpn tunnel branch1 to branch4 using just the branch4 subnet ip address and the x.x.x.2 router as the endpoints, then static route 10.46.0.0 traffic from the x.x.x.2 router to the x.x.x.1 router (which is the router we need to reach to get to 10.46.0.0 subnet), would it work? or would I have the same problem? I will think about this some.
0
 

Accepted Solution

by:
KiloMileage earned 0 total points
ID: 20950613
No way the Linksys router can handle the subnets that have to be used, i.e. 255.255.255.128.  This is from Linksys tech support lead tech. The solution is to use a Cisco router that can use the subnets required.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question