Routing VLANs through VPN

Hello Experts,
I have two networks connected by a static VPN. The networks are in offices with a single static IP address each.
Each network is served for Internet service by a Comcast cable modem with at least 25/5 speeds in pass-through mode.
Each network is configured on a Cisco RV 220 W. Each Cisco RV 220 W is in Gateway mode (nat)
Each Cisco RV 220 W is configured with the default VLAN (1) and a second VLAN (2) for voice over IP.
All ports needing tagging for VLAN 2 (voice) are tagged on all switches and the 2 routers.
Network one (the company headquarters) VLAN one has an inside interface address of 192.168.16.x/24. Network one VLAN two hasn’t inside interface address of 192.168.160.x/24.
Network two (the remote office) VLAN one has an inside interface address of 192.168.17.x/24. Network two VLAN two has an inside interface address of 192.168.170.x/24.
VLAN one in each network is dedicated for data. VLAN two in each network is dedicated for voice.
Network one is the company headquarters and houses the Shortel voice over IP server. The company headquarters is in production with the new Shortel IP telephone system.
The Shortel voice server with address of 192.168.160.10 can ping any node on the 192.168.16.x network and any node on the 192.168.16x network can ping the Shortel server.
Any Node on Network two with the address of 192.168.17.x can ping any 192.168.16.x address across the VPN, and vice versa for any node on network one with the ability to ping any address on the 192.168.16.x network.  No node on the 192.116.17.x network can ping the Shortel voice server across the VPN with the address of 192.168.160.10, and vice versa the Shortel voice server on the 192.168.160.x network cannot ping either the Gateway or any node on the 192.168.17.x network.
There are two possibilities here as far as connecting the Shortel server to the remote office where IP phones are intended to be installed. Number one is to utilize VLAN two on the remote network to connect the IP phones too, or for option number two VLAN two can be deleted on the remote network (192.168.17.x) and the data network on VLAN one can be used for the three telephones that will be placed there.
Additionally the Cisco RV 220 W may be limited by the fact that it may only be able to route traffic across the VPN on the primary VLAN number one. Option number two is what is needed at a minimum here to provision the three IP phone telephones in the remote office.
The interfaces to configure routing and are the WAN interface, VLAN one interface, and the VLAN two interface.
Routing table of main office RV200w with the Shoretel voice server:
Destination        Gateway        Genmask        Metric  Ref        Use        Interface        Type              Flags
127.0.0.1        127.0.0.1        255.255.255.255 1        0        0        lo              Static        UP,Gateway,Host
23.x.x.x        0.0.0.0        255.255.255.252        0        0        0        eth1              Dynamic        UP
23.x.x.x        23.x.x.x        255.255.255.252        1        0        0        eth1              Dynamic        UP,Gateway
192.168.160.0        0.0.0.0        255.255.255.0        0        0        0        bdg2              Dynamic        UP
192.168.160.0        192.168.160.1        255.255.255.0        1        0        0        bdg2              Dynamic        UP,Gateway
192.168.16.0        0.0.0.0        255.255.255.0        0        0        0        bdg1              Static        UP
192.168.16.0        192.168.16.1        255.255.255.0        1        0        0        bdg1              Static        UP,Gateway
2xx.0.0.0        0.0.0.0        255.0.0.0        0        0        0        bdg1              Dynamic        UP
0.0.0.0        23.x.x.x        0.0.0.0        0        0        0        eth1              Dynamic        UP,Gateway



Routing table of the remote office Cisco RV220W:
Kernel IP routing table
Destination        Gateway        Genmask        Metric  Ref        Use        Interface        Type              Flags
127.0.0.1        127.0.0.1        255.255.255.255 1        0        0        lo              Static        UP,Gateway,Host
96.x.x.x        0.0.0.0        255.255.255.252        0        0        0        eth1              Dynamic        UP
96.92.186.32        96.x.x.x       255.255.255.252        1        0        0        eth1              Dynamic        UP,Gateway
10.1.10.0        96.x.x.x        255.255.255.0        2        0        0        eth1              Static        UP,Gateway
192.168.17.0        0.0.0.0        255.255.255.0        0        0        0        bdg1              Dynamic        UP
192.168.17.0        192.168.17.1        255.255.255.0        1        0        0        bdg1              Dynamic        UP,Gateway
192.168.170.0        0.0.0.0        255.255.255.0        0        0        0        bdg2              Static        UP
192.168.170.0        192.168.170.1        255.255.255.0        1        0        0        bdg2              Static        UP,Gateway
0.0.0.0        96.x.x.x        0.0.0.0        0        0        0        eth1              Dynamic        UP,Gateway

Question: what additional routes or other configuration is needed to be added/changed to meet at least the minimum requirement using option number two for both Cisco RV 220 W’s to allow the Shortel server at 192.168.160.10 to see any node on the 192.168.17.x network across the VPN?

Thank you in advance.
jsvarga88Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
One option is the interesting traffic rule deals with segment to segment

192.168.160.0 255.255.255.0 192.168.170.0 255.255.255.0
Within VPN qos to prioritize voice over data similar to the qos on the existing router.

Similar for the data.

I am unfamiliar with, one option might be to use routing over VPN.
arnoldCommented:
Fred MarshallPrincipalCommented:
If I understand your objective, It seems to me that you simply need two VPNs:
One for the data LANs
and
One for the voice LANs.

To summarize:

192.168.16.0/24 at main site for data.
192.168.160.0/24 at main site for voice.
These have routing between them so they can communicate.

192.168.17.0/24 at remote site for data.
192.168.170.0/24 at remote site for voice.
These may or may not have routing between them .....  not clear is all.

192.168.16.0/24 and 192.168.17.0/24 are interconnected via a VPN tunnel which I will call VPN_VLAN1.

192.168.160.0/24 and 192.168.170.0/24 are NOT interconnected via a VPN tunnel.
First thing I would do is set up another VPN tunnel between these two subnets.
There may be another way but this seems simple and direct.
I'd do that because VPN are terminated with a particular subnet.  So doing this would surely create that connection.  Let's call this VPN_VLAN2

Then you may need to connect with routing:
192.168.17.0 to 192.168.170.0.

Then, if you want:
192.168.16.0 to connect to 192.168.170.0
and
192.168.17.0 to connect to 192.168.160.0
These are probably only a matter of routing.

Packets from 192.168.16.0 destined for 192.168.170.0 would be directed to the VPN_VLAN2 tunnel.
Packets from 192.168.17.0 destined for 192.168.160.0 would be directed to the VPN_VLAN2tunnel.
Packets from 192.168.160.0 destined for 192.168.17.0 would be directed to the VPN_VLAN1 tunnel.
Packets from 192.168.170.0 destined for 192.168.16.0 would be directed to the VPN_VLAN1 tunnel.

Since the Cisco routers are both the VPN terminations AND the internet routers, there's no concern that the packets won't be leaving and arriving on those gateways.  This means you shouldn't need to have special routes or firewall rules as the leaving packets will be consistent with the arriving packets as far as the router's rules are concerned.  Also, you needn't add routes for things that are "known" in the routers.
If the VPN devices were separate from the internet gateway devices, then you would have to deal with those things.
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

arnoldCommented:
Would it not be the case for a single tunnel with distinct IP segment to ip segment access list

Data to data
Voice to voice
Cross segment traffic pattern will not match the VPN rule and will not be allowed to enter the VPN.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fred MarshallPrincipalCommented:
Cross segment traffic pattern will not match the VPN rule and will not be allowed to enter the VPN.
Yes.  That's correct and understandable and something I was hoping to avoid.

The thinking went like this:
If you want to reach a remote subnet then you have to have a VPN that originates and terminates in the VPN-specified subnets.

I suppose in this case you could set up 4 VPNs:
Source subnet          Destination subnet
Site 1 VLAN1             Site 2 VLAN1
Site 1 VLAN1             Site 2 VLAN2
Site 1 VLAN2             Site 2 VLAN1
Site 1 VLAN2             Site 2 VLAN2

This may be overkill but at least it's simple in concept and understandable.
My hope was, without working it all out, was that routing would take care of some of it.  But perhaps not.
jsvarga88Author Commented:
So it looks like the 2 VPN solution might be required here, for which I would need at least 1 more IP address per site to effect a VPN between the 2 voice VLANS.
arnoldCommented:
The VPN is a site to site whether you set one per acl defining the pattern or using one VPN with specific acl.
The source and destination will always be the wan IPs of the respective routers.

Setting up two VPN adds unnecessarily to the overhead/bandwidth, and complicates qos over VPN.
Fred MarshallPrincipalCommented:
Perhaps Arnold and I have different perspectives.
In my experience, the definition of a VPN includes:
1) the terminating public IP addresses ... yes
and also
2) the terminating subnets.

I don't believe you would need more than the existing public IP addresses.
But, you would define each VPN between different local subnets.
I do believe you can't have more than one VPN between the same public address pair and the same local subnet pair.

I must say that I'm making an assumption that your equipment will *accept* the same pair of public IP addresses for more than one VPN as long as one of the local subnets is different.  I haven't set devices up for this so I can't say for sure.  But, if you're in the mode of doing it anyway, it should be easy enough to try.  The RV 220W emulator wouldn't let me try it there....
jsvarga88Author Commented:
It turns out although the RV220W fully supports routing between VLANS in a particular subnet, it does not support VLANS through VPN.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.