Routing local subnets over VPN - Draytek to Cisco

Have a Draytek 2860 router with an IPSEC VPN connection to a Cisco router in a data centre.

There are 3 local subnets setup on the router that need to access the VPN tunnel - 192.168.10.0/24, 192.168.11.0/24 and 192.168.13.0/24

There is a single subnet at the Cisco end.  192.168.10.0/24 is setup as the Draytek's local network ID in the VPN settings.  

I can ping hosts on the Cisco subnet from hosts on 192.168.10.0/24, but nothing responds when using 11.0 and 13.0.

Doing trace routes I can see that traffic from the different subnets is going out through the three different router IPS - 10.1, 11.1 and 13.1.    

As 11.1 and 13.1 are interfaces on the same box as 10.1 and there's a routing table entry to the Cisco's subnet, I can't understand why traffic isn't being routed through the VPN.

Have tried adding a route policy to force anything with a destination IP on the Cisco's subnet to be sent down the VPN - but that had no effect.

Is there some specific settings that need to be used in this scenario?
LVL 1
devon-ladAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
Does all routers have all needed routes so traffic can reach destination (and way back)?
Routers on other side also need to know way back to your network, so first step is to check routing tables of all routers that need to forward traffic.
Also ACL could be blocking traffic.
0
devon-ladAuthor Commented:
No ACLs at the moment and correct routes at each end.
0
JustInCaseCommented:
Are packets for VPN networks (interested traffic) excluded from NAT?
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

devon-ladAuthor Commented:
I'm making the assumption that the guys at the hosting provider have configured the Cisco router correctly - so any misconfiguration must be with the Draytek.

On the Draytek, each subnet is configured "For NAT usage" and not "For routing usage".

So I'm guessing from your question that only the 10.1 subnet should be set "For NAT usage" and the others "For routing usage" ?  

I've only ever used this functionality on the Drayteks when routing multiple public IPs.
0
JustInCaseCommented:
I am not sure how to do that in Drytek router, but basic principle for VPN is the same.
Interesting traffic that is directed through tunnel probably should not be encrypted.
On the Draytek, each subnet is configured "For NAT usage" and not "For routing usage".
I am not sure that this should solve anything, since just some part of traffic from those subnets is directed to VPN tunnel and other traffic could be for NAT usage, but, sure you can try it anyway.
Check is there somewhere in options NAT configuration.
0
devon-ladAuthor Commented:
Yes, it didn't seem like the right thing to do - tried it anyway, but no effect.

There's no NAT settings apart from stuff like port redirection, port triggering, dmz etc.
0
JustInCaseCommented:
Since I don't know enough about Drytek I can only point you to their VPN support link.
0
devon-ladAuthor Commented:
Draytek support say "have you tried 2 Drayteks".  There is an option to add additional remote subnets in the VPN profile - so if you had two then this would solve the problem.  Leads me to believe the functionality is not implemented for use with non-Draytek routers.
0
JustInCaseCommented:
Looks like functionality is implemented, at least, should be implemented.
Vigor - Cisco
0
devon-ladAuthor Commented:
It's not a problem getting a VPN connection between a Draytek and a Cisco ASA with one subnet at each end or multiple subnets at the Cisco end.

Given that it works with a Draytek at both ends by each router specifying the other's additional subnets in the VPN profile - could it be something has been missed off at the Cisco end?  The hosting provider say they have added all subnets to the "encryption domain" - maybe there's another step to this?
0
devon-ladAuthor Commented:
Ended up getting this working by specifying the local network on the Draytek VPN profile as a supernet to cover all subnets.  Then the Draytek brought up one tunnel for each subnet - under the same VPN profile.

So for 192.168.10.0/24, 11.0/24 and 13,0/24 used 192.168.8.0/21
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Benjamin Van DitmarsCommented:
when you add an second subnet to a ipsec vpn you would always get an second phase 2 object.
on you router you will have

192.168.10.0/24 -> cisco side/x
192.168.11.0/24 -> cisco side/x
192.168.8.0/24 -> cisco side/x

on the firewall router on the other side. they also must configure the 3 phase 2 parts
else youre draytek is not even trying to send traffic to the tunnel
0
devon-ladAuthor Commented:
Benjamin - don't quite understand your comment - "3 phase 2 parts".

You mean something else is required on the Draytek?  Because it already works.
0
Benjamin Van DitmarsCommented:
Then they have a configuration as I try to discrype.

normale a vpn tunnel as a fase 1 this is youre IKE. youre virtual cable
and then for every subnet you want to push over the tunnel is called a fase 2
0
devon-ladAuthor Commented:
Help provided by other experts, but my comment gives the clearest indication on how the problem was resolved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.