KiloMileage
asked on
How to configure static routes to other end of VPN tunnel
We have 4 locations that are linked with Linksys RV042 routers using VPN tunnels between locations. These work OK but we are having trouble routing to certain subnets. The layout is:
Branch 1: Cisco router (10.61.124.1) to data services provider (10.46.0.0 and 10.46.240.0 traffic), Linksys RV042 router(10.61.124.2) to ISP for Branch 1 internet access, and VPNs to Branches 2,3,4. Static routes Branch 1: 1.Cisco router to turn away all traffic NOT 10.46.0.0 255.255.252.0 and 10.46.240.0 255.255.255.128 and 2. RV042 to route traffic 10.46.0.0 and 10.46.240.0 to the Cisco router.
Branch 2: RV042 to ISP for internet access for Branch2, VPN to Branch 1and Branch 3
Branch 3: RV042 to ISP for internet access for Branch 3, VPN to Branch 1 and Branch 2
Branch 4: RV042 to ISP for internet access for Branch4, VPN to Branch 1. Router IP addr 10.58.91.242
Here is our problem. We need Branch 4 to route 10.46.0.0 and 10.46.240.0 traffic back to the Cisco router in Branch 1.
We tried adding a Static Route (destination: 10.46.240.0, netmask: 255.255.255.128 gateway: 10.61.124.1) to the Branch 4 routing table, but it doesn't work. A similar static route was attempted to be added to the Windows 2000 workstation at Branch 4 and this produced an error mesage: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
How can we get 10.46.0.0 and 10.46.240.0 traffic from Branch 4 to Branch 1 Cisco router and not screw up the VPNs or internet acces for Branch 4?
Thanks in advance.
Branch 1: Cisco router (10.61.124.1) to data services provider (10.46.0.0 and 10.46.240.0 traffic), Linksys RV042 router(10.61.124.2) to ISP for Branch 1 internet access, and VPNs to Branches 2,3,4. Static routes Branch 1: 1.Cisco router to turn away all traffic NOT 10.46.0.0 255.255.252.0 and 10.46.240.0 255.255.255.128 and 2. RV042 to route traffic 10.46.0.0 and 10.46.240.0 to the Cisco router.
Branch 2: RV042 to ISP for internet access for Branch2, VPN to Branch 1and Branch 3
Branch 3: RV042 to ISP for internet access for Branch 3, VPN to Branch 1 and Branch 2
Branch 4: RV042 to ISP for internet access for Branch4, VPN to Branch 1. Router IP addr 10.58.91.242
Here is our problem. We need Branch 4 to route 10.46.0.0 and 10.46.240.0 traffic back to the Cisco router in Branch 1.
We tried adding a Static Route (destination: 10.46.240.0, netmask: 255.255.255.128 gateway: 10.61.124.1) to the Branch 4 routing table, but it doesn't work. A similar static route was attempted to be added to the Windows 2000 workstation at Branch 4 and this produced an error mesage: "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine."
How can we get 10.46.0.0 and 10.46.240.0 traffic from Branch 4 to Branch 1 Cisco router and not screw up the VPNs or internet acces for Branch 4?
Thanks in advance.
quick question -- you said you tried to add a static route in a 10.0.0.0 address range using a 255.255.255.128 subnet mask? I think your subnet is wrong. have you tried a 255.0.0.0 mask?
In the VPN settings of your Linksys routers, you had to specify what traffic was going to be routed across the VPN tunnel. You need to edit your VPN settings and add that network, you can't route across a VPN tunnel, it's all based on "interesting traffic".
ASKER
Actually the route is to 10.46.0.0 and we checked again with data service provider and the subnet should be 255.255.252.0
ASKER
to mikecr:
I can't add that network to the VPN already setup, the rv042 won't do that. I can create another VPN but what would it look like?
I can't add that network to the VPN already setup, the rv042 won't do that. I can create another VPN but what would it look like?
If you're remote side is all in the 10. range, then just edit he current VPN and add 10.0.0.0 255.0.0.0 which will send any 10.0 traffic to your Branch1 router. If you can't, you will need to create a secondary VPN tunnel for that subnet back to the Branch1 router.
ASKER
Thanks mikecr. Unfortunately all of our subnets are in 10. range and the router(s) won't allow subnet range conflicts between VPNs. Editing the current VPN as suggested creates an overlap with the other existing VPNs and the new tunnel won't save and gives error message. "The settings of the Local Group conflict with the settings of the Remote Security Group."
I tried creating a new tunnel but the branch1 router errorred with conflict to exisiting tunnel as above.
Perhaps I am not creating the secondary tunnel or editing the existing VPN correctly?
I can't create a tunnel 10.0.0.0 255.0.0.0 to 10.58.91.240 255.255.255.248 because the ends overlap?
I tried creating a new tunnel but the branch1 router errorred with conflict to exisiting tunnel as above.
Perhaps I am not creating the secondary tunnel or editing the existing VPN correctly?
I can't create a tunnel 10.0.0.0 255.0.0.0 to 10.58.91.240 255.255.255.248 because the ends overlap?
I'll have to think about this one for a little bit. The error that your getting is probably because you already have that tunnel endpoint already set up and it won't let you create another one to it.
ASKER
If I got another (new) VPN router, changed the ip of the present branch1 router to 1 higher ip address (x.x.x.3 instead of x.x.x2), modify the present VPNs to reflect router ip change, modify the present vpn tunnel from branch1 to branch4 to x.x.x.3 - x.x.x.63 (exclude x.x.x.1 -x.x.x.2) ip addresses, give the new router x.x.x.2 ip address, create a vpn tunnel branch1 to branch4 using just the branch4 subnet ip address and the x.x.x.2 router as the endpoints, then static route 10.46.0.0 traffic from the x.x.x.2 router to the x.x.x.1 router (which is the router we need to reach to get to 10.46.0.0 subnet), would it work? or would I have the same problem? I will think about this some.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.