Routing Subnets over Draytek VPN

Hi All
Struggling with a routing problem using 2 Draytek Vigor2820 which have a VPN between them and three subnets - 2 on one side of one Draytek, 1 on the other Draytek.  The Main Office accepts persistent VPN connection from Remote Office 24/7.  The clients in the Remote Office cannot reach the clients in both subnets in the Main Office.  The clients in the Main Office can reach the clients in the Remote Office.

Main Office Draytek
IP =192.168.1.254
2 subnets have access 192.168.0.0/24 and 192.168.2.0/24 via
NAT GW 192.168.1.250 (RRAS external NIC on 2K8 server)
Static Routes set on Draytek:
192.168.0.0/24 > GW 192.168.0.94 (RRAS internal NIC on 2K8 server)
192.168.0.2/24 > GW 192.168.2.250 (RRAS internal NIC on 2K8 server)
Routing between 1.0/24, 2.0/24 and 0.0/24 all OK within this side.  Also all clients in either 0.0/24 or 2.0/24 can ping any client in 10.0/24 via VPN link.  The Main Office Draytek uses 192.168.1.50 to create its end of the VPN tunnel to 192.168.10.254.

Main Office Draytek Routing Table:
Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via external IP,   WAN1
*          external IP/ 255.255.255.255 via external IP,   WAN1
S       external IP/ 255.255.255.255 via external IP,   WAN1
S~       192.168.10.0/   255.255.255.0 via 192.168.1.50,    VPN
S         192.168.0.0/   255.255.255.0 via 192.168.0.94,    LAN
C~       192.168.1.50/ 255.255.255.255 is directly connected,    VPN
C~        192.168.1.0/   255.255.255.0 is directly connected,    LAN
S         192.168.2.0/   255.255.255.0 via 192.168.2.250,    LAN


Remote Office Draytek
IP =192.168.10.254
1 subnet 192.168.10.0/24 via
GW 192.168.10.254
All clients can ping 192.168.1.250 , but can go no further and cannot get to 0.0/24 or 2.0/24 subnets no matter what routes I add to the Remote Office Draytek.  I have tried using a static route of 0.0/24 via 192.168.1.254 and 192.168.1.50 and 192.168.1.250 and the 192.168.0.94 but all give me no ping from Remote to Main.

Remote Office Draytek Routing Table:
Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via external IP,   WAN1
S       external IP/ 255.255.255.255 via external IP,   WAN1
*         external IP/ 255.255.255.255 via external IP,   WAN1
C~       192.168.10.0/   255.255.255.0 is directly connected,    LAN
S         192.168.0.0/   255.255.255.0 via 192.168.1.254,    LAN
C~      192.168.1.254/ 255.255.255.255 is directly connected,    VPN
S~        192.168.1.0/   255.255.255.0 via 192.168.1.254,    VPN

Routing Table of RRAS Server if required:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.250    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.94    266
     192.168.0.94  255.255.255.255         On-link      192.168.0.94    266
    192.168.0.255  255.255.255.255         On-link      192.168.0.94    266
      192.168.1.0    255.255.255.0         On-link     192.168.1.250    276
    192.168.1.250  255.255.255.255         On-link     192.168.1.250    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.250    276
      192.168.2.0    255.255.255.0         On-link     192.168.2.250    276
    192.168.2.250  255.255.255.255         On-link     192.168.2.250    276
    192.168.2.255  255.255.255.255         On-link     192.168.2.250    276
     192.168.10.0    255.255.255.0    192.168.1.254    192.168.1.250    275
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.94    266
        224.0.0.0        240.0.0.0         On-link     192.168.1.250    276
        224.0.0.0        240.0.0.0         On-link     192.168.2.250    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.94    266
  255.255.255.255  255.255.255.255         On-link     192.168.1.250    276
  255.255.255.255  255.255.255.255         On-link     192.168.2.250    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    192.168.1.254  Default
===========================================================================

Any ideas would be greatly appreciated.  C
CreodusAsked:
Who is Participating?
 
rustamonlineCommented:
If you configure LAN-to-LAN ipsec tunnel you can specify which subnet should be routed over tunnel. In the attached screenshot you see More button. There you can specify subnets as much as you want.
Capture.PNG
1
 
rustamonlineCommented:
In your remote router, 192.168.0.0/24 and 192.168.2.0/24 routes is absent. You must specify these routes to go through VPN. Usually you specify routes in VPN profile. And better you place physical map of your network.

Regards,
Rustamjon Mukhammadiyev.
0
 
CreodusAuthor Commented:
Rustamjon

That makes sense - I have tried to attempt this with the remote router, but I am having trouble configuring its interfaces so far - I need more detail on this Draytek but cannot find the solution to setting it up this way.

I'll check again later and get back to you.

Thanks, C
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
rustamonlineCommented:
You can specify subnets to route over VPN in VPN profile.
0
 
CreodusAuthor Commented:
Where is this VPN profile in the Draytek Vigor 2820 settings for VPN?  I cannot find it anywhere.  The VPN setp pages for LAN to LAN provide no obvious option for routing over other subnets.

You can set a Static Route but the only option here is WAN or LAN and not VPN.

C
0
 
rustamonlineCommented:
Have you configured LAN-to-LAN IPSec tunnel ?
0
 
CreodusAuthor Commented:
I have reconfigured both ends of the tunnel to be an IPSec tunnel and on the Remote Router added the two subnets as per your image above.

Results
Routing table (part) of Remote Router:
C~       192.168.10.0/   255.255.255.0 is directly connected,    LAN
S~        192.168.0.0/   255.255.255.0 via external IP,    VPN
S~        192.168.1.0/   255.255.255.0 via external IP,    VPN
S~        192.168.2.0/   255.255.255.0 via external IP,    VPN

So I am connected as you required.  

However I can now ping clients on the 2.0/24 subnet from the 10.0/24 subnet OK from inside the Remote Router and remote client PCS.  But I cannot ping any clients on 0.0/24 subnet from the Remote Router or remote client PCs.

I did not remove the two static routes I originally setup in the Remote Router to 2.0/24 and 0.0/24 - does this matter?

Thanks, C
0
 
CreodusAuthor Commented:
Rustamjon
Sorry I posted too soon - I hadn't checked the Office Router - it needed its Static Routes refreshed and once this was done, the Remote Router and remote clients on 10.0/24 could ping 2.0/24 and 0.0/24

Nice job and thanks for the guidance an picture, C
0
 
CreodusAuthor Commented:
Thank you very much for your prompt replies - glad that someone out there knows Draytek Routers so well, C
0
 
rustamonlineCommented:
You are welcome. Have a good day.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.