Creating a VPN with a Draytek router to multiple remote subnets

I've been using Draytek routers for years and I'm familiar with their setup and functionality. Until recently all routers within the company have been Draytek. We have however replaced the Draytek in the main office with a Cyberoam Cr25i UTM to increase security.

We were setup in a hub and spoke setup and the rmeote locations could access the other remote locations through the vpn to the main site. This was done my a simple static route set as a route via the LAN to the gateway of the main office. Since replacing the draytek with the cyberoam, this spoke and hub arrangement hasn't worked. It wasn't a major issue so I never investigated the issue.

We are now changing over to a new subnet at the main office and are running the 2 side by side during the testing phase. This has caused a major problem with the VPNs. The VPNs can only access the network specified on the main VPN page. Adding extra sites (clicking on More allows you to add in more subnets) or adding static routes doesn't work.

I thought the issue was with the cuberoam, but after lots of testing with Cyberoam's support team we identified that the cyberoam wasn't receiving any traffic for the additional subnets. So the issue is with the Draytek.

I could create a second VPNs to the main site to access the new subnet, but we are deploying essential business server behind our existing firewall. This has a built in gateway/firewall that has to be used. So the network setup for the new network is as follows....

Cyberoam firewall/VPN/gateway
|
10.0.0.0/24
|
EBS firewall/gateway
|
10.10.10.0/24 main network

So I have had to create a route on the cyberoam for the 10.10.10.0/24 network via 10.0.0.0 (external EBS gateway address).

Again the Draytek fails as it can only connect to the first subnet, so I have no way of connecting to the main network.

I could change to using the EBS gateway as the VPN gateway rather than the cyberoam, this would solve the accessing the main network problem, but something in my head says I should use the Cyberoam as the VPN gateway.

Does anyone have any experience connecting to a Windows Server from a Draytek with an IPSEC VPN? Do multiple remote subnets work?

Has anyone got multiple remote subnets working with a Draytek?

What routers do people use that allows for multiple remote subnets (tight budget)?
b_squaredAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rick_O_ShayCommented:
I think you said you created the new static route using the external address as the next hop. That should be the tunnel endpoint's address not the external router's address.
0
b_squaredAuthor Commented:
If I create the route, I use the internal endpoint and the route is via the LAN (can only choose between LAN and WAN). If you use the More button and add extra remote subnets, the routes are created by the router with the external address of the VPN, but it is routed via VPN in the table.
0
Rick_O_ShayCommented:
If the routes are getting added correctly then is there a firewall rule/policy that needs to be added to allow communications with the new subnet?
0
b_squaredAuthor Commented:
It is stupid Draytek.
If you have a LAN to LAN VPN with a Draytek to a Draytek, then you can have multiple subnets at each end. Also if you are setup in a hub and spoke VPN setup using all Drayteks then the hubs can communicate with each other.
If youave a LAN to LAN VPN with a Draytek and a router from another manufacturer, then you can only have 1 subnet on the remote (non Draytek) end. I have no idea on the reasoning, but this is the limitations of the devices.
I have worked around the issue by having 3 VPNs from the remote location to the main location. This allows me to communicate with all 3 subnets at the main location.
If I want to communicate with other remote subnets, I would need to create a VPN for each remote location (assuming single subnet), so with 6 remote locations, that would be 8 VPNs at teach remote location, 3 to the main location (3 subnets) and 1 to each of the remote locations. So thats 18 VPNs from the main office to each site and 15 VPNs to create the spider web between the remote locations. 33 VPNs in total because Draytek have enforced a stupid rule/badly coded their routers.
I hope this information will help someone in the future
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.