[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4666
  • Last Modified:

Creating a VPN with a Draytek router to multiple remote subnets

I've been using Draytek routers for years and I'm familiar with their setup and functionality. Until recently all routers within the company have been Draytek. We have however replaced the Draytek in the main office with a Cyberoam Cr25i UTM to increase security.

We were setup in a hub and spoke setup and the rmeote locations could access the other remote locations through the vpn to the main site. This was done my a simple static route set as a route via the LAN to the gateway of the main office. Since replacing the draytek with the cyberoam, this spoke and hub arrangement hasn't worked. It wasn't a major issue so I never investigated the issue.

We are now changing over to a new subnet at the main office and are running the 2 side by side during the testing phase. This has caused a major problem with the VPNs. The VPNs can only access the network specified on the main VPN page. Adding extra sites (clicking on More allows you to add in more subnets) or adding static routes doesn't work.

I thought the issue was with the cuberoam, but after lots of testing with Cyberoam's support team we identified that the cyberoam wasn't receiving any traffic for the additional subnets. So the issue is with the Draytek.

I could create a second VPNs to the main site to access the new subnet, but we are deploying essential business server behind our existing firewall. This has a built in gateway/firewall that has to be used. So the network setup for the new network is as follows....

Cyberoam firewall/VPN/gateway
|
10.0.0.0/24
|
EBS firewall/gateway
|
10.10.10.0/24 main network

So I have had to create a route on the cyberoam for the 10.10.10.0/24 network via 10.0.0.0 (external EBS gateway address).

Again the Draytek fails as it can only connect to the first subnet, so I have no way of connecting to the main network.

I could change to using the EBS gateway as the VPN gateway rather than the cyberoam, this would solve the accessing the main network problem, but something in my head says I should use the Cyberoam as the VPN gateway.

Does anyone have any experience connecting to a Windows Server from a Draytek with an IPSEC VPN? Do multiple remote subnets work?

Has anyone got multiple remote subnets working with a Draytek?

What routers do people use that allows for multiple remote subnets (tight budget)?
0
b_squared
Asked:
b_squared
  • 2
  • 2
1 Solution
 
Rick_O_ShayCommented:
I think you said you created the new static route using the external address as the next hop. That should be the tunnel endpoint's address not the external router's address.
0
 
b_squaredAuthor Commented:
If I create the route, I use the internal endpoint and the route is via the LAN (can only choose between LAN and WAN). If you use the More button and add extra remote subnets, the routes are created by the router with the external address of the VPN, but it is routed via VPN in the table.
0
 
Rick_O_ShayCommented:
If the routes are getting added correctly then is there a firewall rule/policy that needs to be added to allow communications with the new subnet?
0
 
b_squaredAuthor Commented:
It is stupid Draytek.
If you have a LAN to LAN VPN with a Draytek to a Draytek, then you can have multiple subnets at each end. Also if you are setup in a hub and spoke VPN setup using all Drayteks then the hubs can communicate with each other.
If youave a LAN to LAN VPN with a Draytek and a router from another manufacturer, then you can only have 1 subnet on the remote (non Draytek) end. I have no idea on the reasoning, but this is the limitations of the devices.
I have worked around the issue by having 3 VPNs from the remote location to the main location. This allows me to communicate with all 3 subnets at the main location.
If I want to communicate with other remote subnets, I would need to create a VPN for each remote location (assuming single subnet), so with 6 remote locations, that would be 8 VPNs at teach remote location, 3 to the main location (3 subnets) and 1 to each of the remote locations. So thats 18 VPNs from the main office to each site and 15 VPNs to create the spider web between the remote locations. 33 VPNs in total because Draytek have enforced a stupid rule/badly coded their routers.
I hope this information will help someone in the future
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now