Routing Subnets over Draytek VPN

Hi All
Struggling with a routing problem using 2 Draytek Vigor2820 which have a VPN between them and three subnets - 2 on one side of one Draytek, 1 on the other Draytek.  The Main Office accepts persistent VPN connection from Remote Office 24/7.  The clients in the Remote Office cannot reach the clients in both subnets in the Main Office.  The clients in the Main Office can reach the clients in the Remote Office.

Main Office Draytek
IP =192.168.1.254
2 subnets have access 192.168.0.0/24 and 192.168.2.0/24 via
NAT GW 192.168.1.250 (RRAS external NIC on 2K8 server)
Static Routes set on Draytek:
192.168.0.0/24 > GW 192.168.0.94 (RRAS internal NIC on 2K8 server)
192.168.0.2/24 > GW 192.168.2.250 (RRAS internal NIC on 2K8 server)
Routing between 1.0/24, 2.0/24 and 0.0/24 all OK within this side.  Also all clients in either 0.0/24 or 2.0/24 can ping any client in 10.0/24 via VPN link.  The Main Office Draytek uses 192.168.1.50 to create its end of the VPN tunnel to 192.168.10.254.

Main Office Draytek Routing Table:
Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via external IP,   WAN1
*          external IP/ 255.255.255.255 via external IP,   WAN1
S       external IP/ 255.255.255.255 via external IP,   WAN1
S~       192.168.10.0/   255.255.255.0 via 192.168.1.50,    VPN
S         192.168.0.0/   255.255.255.0 via 192.168.0.94,    LAN
C~       192.168.1.50/ 255.255.255.255 is directly connected,    VPN
C~        192.168.1.0/   255.255.255.0 is directly connected,    LAN
S         192.168.2.0/   255.255.255.0 via 192.168.2.250,    LAN


Remote Office Draytek
IP =192.168.10.254
1 subnet 192.168.10.0/24 via
GW 192.168.10.254
All clients can ping 192.168.1.250 , but can go no further and cannot get to 0.0/24 or 2.0/24 subnets no matter what routes I add to the Remote Office Draytek.  I have tried using a static route of 0.0/24 via 192.168.1.254 and 192.168.1.50 and 192.168.1.250 and the 192.168.0.94 but all give me no ping from Remote to Main.

Remote Office Draytek Routing Table:
Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via external IP,   WAN1
S       external IP/ 255.255.255.255 via external IP,   WAN1
*         external IP/ 255.255.255.255 via external IP,   WAN1
C~       192.168.10.0/   255.255.255.0 is directly connected,    LAN
S         192.168.0.0/   255.255.255.0 via 192.168.1.254,    LAN
C~      192.168.1.254/ 255.255.255.255 is directly connected,    VPN
S~        192.168.1.0/   255.255.255.0 via 192.168.1.254,    VPN

Routing Table of RRAS Server if required:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.250    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.94    266
     192.168.0.94  255.255.255.255         On-link      192.168.0.94    266
    192.168.0.255  255.255.255.255         On-link      192.168.0.94    266
      192.168.1.0    255.255.255.0         On-link     192.168.1.250    276
    192.168.1.250  255.255.255.255         On-link     192.168.1.250    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.250    276
      192.168.2.0    255.255.255.0         On-link     192.168.2.250    276
    192.168.2.250  255.255.255.255         On-link     192.168.2.250    276
    192.168.2.255  255.255.255.255         On-link     192.168.2.250    276
     192.168.10.0    255.255.255.0    192.168.1.254    192.168.1.250    275
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.94    266
        224.0.0.0        240.0.0.0         On-link     192.168.1.250    276
        224.0.0.0        240.0.0.0         On-link     192.168.2.250    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.94    266
  255.255.255.255  255.255.255.255         On-link     192.168.1.250    276
  255.255.255.255  255.255.255.255         On-link     192.168.2.250    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.1.254  Default
===========================================================================

Any ideas would be greatly appreciated.  C
CreodusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rustamonlineCommented:
In your remote router, 192.168.0.0/24 and 192.168.2.0/24 routes is absent. You must specify these routes to go through VPN. Usually you specify routes in VPN profile. And better you place physical map of your network.

Regards,
Rustamjon Mukhammadiyev.
0
CreodusAuthor Commented:
Rustamjon

That makes sense - I have tried to attempt this with the remote router, but I am having trouble configuring its interfaces so far - I need more detail on this Draytek but cannot find the solution to setting it up this way.

I'll check again later and get back to you.

Thanks, C
0
rustamonlineCommented:
You can specify subnets to route over VPN in VPN profile.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

CreodusAuthor Commented:
Where is this VPN profile in the Draytek Vigor 2820 settings for VPN?  I cannot find it anywhere.  The VPN setp pages for LAN to LAN provide no obvious option for routing over other subnets.

You can set a Static Route but the only option here is WAN or LAN and not VPN.

C
0
rustamonlineCommented:
Have you configured LAN-to-LAN IPSec tunnel ?
0
rustamonlineCommented:
If you configure LAN-to-LAN ipsec tunnel you can specify which subnet should be routed over tunnel. In the attached screenshot you see More button. There you can specify subnets as much as you want.
Capture.PNG
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CreodusAuthor Commented:
I have reconfigured both ends of the tunnel to be an IPSec tunnel and on the Remote Router added the two subnets as per your image above.

Results
Routing table (part) of Remote Router:
C~       192.168.10.0/   255.255.255.0 is directly connected,    LAN
S~        192.168.0.0/   255.255.255.0 via external IP,    VPN
S~        192.168.1.0/   255.255.255.0 via external IP,    VPN
S~        192.168.2.0/   255.255.255.0 via external IP,    VPN

So I am connected as you required.  

However I can now ping clients on the 2.0/24 subnet from the 10.0/24 subnet OK from inside the Remote Router and remote client PCS.  But I cannot ping any clients on 0.0/24 subnet from the Remote Router or remote client PCs.

I did not remove the two static routes I originally setup in the Remote Router to 2.0/24 and 0.0/24 - does this matter?

Thanks, C
0
CreodusAuthor Commented:
Rustamjon
Sorry I posted too soon - I hadn't checked the Office Router - it needed its Static Routes refreshed and once this was done, the Remote Router and remote clients on 10.0/24 could ping 2.0/24 and 0.0/24

Nice job and thanks for the guidance an picture, C
0
CreodusAuthor Commented:
Thank you very much for your prompt replies - glad that someone out there knows Draytek Routers so well, C
0
rustamonlineCommented:
You are welcome. Have a good day.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.