Routing local subnets over VPN - Draytek to Cisco

Have a Draytek 2860 router with an IPSEC VPN connection to a Cisco router in a data centre.

There are 3 local subnets setup on the router that need to access the VPN tunnel - 192.168.10.0/24, 192.168.11.0/24 and 192.168.13.0/24

There is a single subnet at the Cisco end.  192.168.10.0/24 is setup as the Draytek's local network ID in the VPN settings.  

I can ping hosts on the Cisco subnet from hosts on 192.168.10.0/24, but nothing responds when using 11.0 and 13.0.

Doing trace routes I can see that traffic from the different subnets is going out through the three different router IPS - 10.1, 11.1 and 13.1.    

As 11.1 and 13.1 are interfaces on the same box as 10.1 and there's a routing table entry to the Cisco's subnet, I can't understand why traffic isn't being routed through the VPN.

Have tried adding a route policy to force anything with a destination IP on the Cisco's subnet to be sent down the VPN - but that had no effect.

Is there some specific settings that need to be used in this scenario?
LVL 1
devon-ladAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Does all routers have all needed routes so traffic can reach destination (and way back)?
Routers on other side also need to know way back to your network, so first step is to check routing tables of all routers that need to forward traffic.
Also ACL could be blocking traffic.
devon-ladAuthor Commented:
No ACLs at the moment and correct routes at each end.
JustInCaseCommented:
Are packets for VPN networks (interested traffic) excluded from NAT?
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

devon-ladAuthor Commented:
I'm making the assumption that the guys at the hosting provider have configured the Cisco router correctly - so any misconfiguration must be with the Draytek.

On the Draytek, each subnet is configured "For NAT usage" and not "For routing usage".

So I'm guessing from your question that only the 10.1 subnet should be set "For NAT usage" and the others "For routing usage" ?  

I've only ever used this functionality on the Drayteks when routing multiple public IPs.
JustInCaseCommented:
I am not sure how to do that in Drytek router, but basic principle for VPN is the same.
Interesting traffic that is directed through tunnel probably should not be encrypted.
On the Draytek, each subnet is configured "For NAT usage" and not "For routing usage".
I am not sure that this should solve anything, since just some part of traffic from those subnets is directed to VPN tunnel and other traffic could be for NAT usage, but, sure you can try it anyway.
Check is there somewhere in options NAT configuration.
devon-ladAuthor Commented:
Yes, it didn't seem like the right thing to do - tried it anyway, but no effect.

There's no NAT settings apart from stuff like port redirection, port triggering, dmz etc.
JustInCaseCommented:
Since I don't know enough about Drytek I can only point you to their VPN support link.
devon-ladAuthor Commented:
Draytek support say "have you tried 2 Drayteks".  There is an option to add additional remote subnets in the VPN profile - so if you had two then this would solve the problem.  Leads me to believe the functionality is not implemented for use with non-Draytek routers.
JustInCaseCommented:
Looks like functionality is implemented, at least, should be implemented.
Vigor - Cisco
devon-ladAuthor Commented:
It's not a problem getting a VPN connection between a Draytek and a Cisco ASA with one subnet at each end or multiple subnets at the Cisco end.

Given that it works with a Draytek at both ends by each router specifying the other's additional subnets in the VPN profile - could it be something has been missed off at the Cisco end?  The hosting provider say they have added all subnets to the "encryption domain" - maybe there's another step to this?
devon-ladAuthor Commented:
Ended up getting this working by specifying the local network on the Draytek VPN profile as a supernet to cover all subnets.  Then the Draytek brought up one tunnel for each subnet - under the same VPN profile.

So for 192.168.10.0/24, 11.0/24 and 13,0/24 used 192.168.8.0/21

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Benjamin Van DitmarsSr Network EngineerCommented:
when you add an second subnet to a ipsec vpn you would always get an second phase 2 object.
on you router you will have

192.168.10.0/24 -> cisco side/x
192.168.11.0/24 -> cisco side/x
192.168.8.0/24 -> cisco side/x

on the firewall router on the other side. they also must configure the 3 phase 2 parts
else youre draytek is not even trying to send traffic to the tunnel
devon-ladAuthor Commented:
Benjamin - don't quite understand your comment - "3 phase 2 parts".

You mean something else is required on the Draytek?  Because it already works.
Benjamin Van DitmarsSr Network EngineerCommented:
Then they have a configuration as I try to discrype.

normale a vpn tunnel as a fase 1 this is youre IKE. youre virtual cable
and then for every subnet you want to push over the tunnel is called a fase 2
devon-ladAuthor Commented:
Help provided by other experts, but my comment gives the clearest indication on how the problem was resolved.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.