Connect 2 client vpns through 1 vpn server

Hi. Gonna try to explain the situation:
We have 3 sites. The "CENTRAL" site (192.168.0.0) has a router which
works as VPN server (accepts dial-in), and the 2 other sites "OFFICES"
(192.168.4.0 and 192.168.7.0) which connect to the central site dialing
out to the router that works as VPN server, in the central.
The thing is that both OFFICES connect to the CENTRAL without problems,
both VPNs work and I can ping any machine from any office to the
central. From the central I can ping any machine in both offices.
BUT, the problem is that I cannot ping from one office to the other, so
both of them connect with the central, but are not connected between
themselves. I need to access machines of one office from the other one.
I guess I should use static routes but I´m not sure in which router to
use them and which routes to use.
Thanks in advance.


Puni

You would really need to look at how the VPNs are configured at the
branch offices. My guess is that they are configured to send traffic for the
central site only through the VPN.

If you can add a static route to each router to also send traffic for
the "other" site through the VPN, it should work. I presume that they all
use 24-bit netmasks.

Another way to handle it would be to use a bundled route. You could
change the routes so that the branches send all 192.168.0.0/16 through the
tunnel. This will cover both the central site and the "other" branch. The
advantage of this is that, if you add another branch, it still works for
them all (as long as you use 192.168.x.0/24 for the new branch).

"Puni" <(E-Mail Removed)> wrote in message
news:26A87490-C765-40DB-ADD6-(E-Mail Removed)...
> Hi. Gonna try to explain the situation:
> We have 3 sites. The "CENTRAL" site (192.168.0.0) has a router which
> works as VPN server (accepts dial-in), and the 2 other sites "OFFICES"
> (192.168.4.0 and 192.168.7.0) which connect to the central site dialing
> out to the router that works as VPN server, in the central.
> The thing is that both OFFICES connect to the CENTRAL without problems,
> both VPNs work and I can ping any machine from any office to the
> central. From the central I can ping any machine in both offices.
> BUT, the problem is that I cannot ping from one office to the other, so
> both of them connect with the central, but are not connected between
> themselves. I need to access machines of one office from the other one.
> I guess I should use static routes but I´m not sure in which router to
> use them and which routes to use.
> Thanks in advance.

> If you can add a static route to each router to also send traffic for
> the "other" site through the VPN, it should work. I presume that they all
> use 24-bit netmasks.

How can I do that?

This is what I tried:

-Central Router VPN receiver=192.168.0.3->this is where all the vpns connect.

-Branch#1 (where I am) router= 192.168.7.1

-Branch#2 (other branch) router= 192.168.4.1

In 192.168.7.1 I added a static route:
Destination address: 192.168.4.0/24 gateway IP address: 192.168.0.3

If I traceroute to 192.168.4.1 I can only reach 192.168.7.1 at first step.
Nothing else.
I can ping 192.168.0.3 without problems from here.

What I need is connect from my branch to the other ones. It doesn´t matter
if the other ones are connected between themselves.
Thanks again!

You need to know how your routers work before you can alter their
behavior.

On a branch router there will be a route which sends traffic for the
central site through the VPN tunnel. You need to find this route and see
what interface this traffic is directed to.

When you know how traffic is routed to the central site you can add a
similar route to send traffic for another site through the same tunnel by
using the same interface address. (You can think of this address as the VPN
endpoint.) Or you can alter the route so that includes traffic for the other
branches as well as the central site.

This is a standard method for routing between sites. It is known as "hub
and spoke". Think of your branch connections as spokes linking the branches
to the central site (or hub). It is like the hub and spokes of a wheel with
no rim. The branches have no connection to each other except through the
hub.

Each branch will send traffic for the central site and any other branch
to the hub. The hub will send traffic directed to another branch back up the
correct spoke.

"Puni" <(E-Mail Removed)> wrote in message
news:C50FF8D3-3329-4A06-985F-(E-Mail Removed)...
>> If you can add a static route to each router to also send traffic for
>> the "other" site through the VPN, it should work. I presume that they all
>> use 24-bit netmasks.
>
> How can I do that?
>
> This is what I tried:
>
> -Central Router VPN receiver=192.168.0.3->this is where all the vpns
> connect.
>
> -Branch#1 (where I am) router= 192.168.7.1
>
> -Branch#2 (other branch) router= 192.168.4.1
>
> In 192.168.7.1 I added a static route:
> Destination address: 192.168.4.0/24 gateway IP address: 192.168.0.3
>
> If I traceroute to 192.168.4.1 I can only reach 192.168.7.1 at first step.
> Nothing else.
> I can ping 192.168.0.3 without problems from here.
>
> What I need is connect from my branch to the other ones. It doesn´t matter
> if the other ones are connected between themselves.
> Thanks again!

Cool, I´ve just found my exact case in a Draytek document:

http://www.draytek.com/support/suppo.../chapter13.pdf

The only difference between that and my setup (and the only thing I cannot
understand) is the last phrase in the first paragraph of the introduction:

"The subnet of the VPN's configuration of Vigor 3300V
must fall into 192.168.0.0/16." ????

What does "subnet of the VPN´s configuration" mean? Where does
192.168.0.0/16 fit in this case???

My cetral network is 192.168.0.0/24, by the way.
Hope to find a solution, and thanks a lot for the help Bill, it´s very
appreciated.

"Bill Grant" wrote:

> You need to know how your routers work before you can alter their
> behavior.
>
> On a branch router there will be a route which sends traffic for the
> central site through the VPN tunnel. You need to find this route and see
> what interface this traffic is directed to.
>
> When you know how traffic is routed to the central site you can add a
> similar route to send traffic for another site through the same tunnel by
> using the same interface address. (You can think of this address as the VPN
> endpoint.) Or you can alter the route so that includes traffic for the other
> branches as well as the central site.
>
> This is a standard method for routing between sites. It is known as "hub
> and spoke". Think of your branch connections as spokes linking the branches
> to the central site (or hub). It is like the hub and spokes of a wheel with
> no rim. The branches have no connection to each other except through the
> hub.
>
> Each branch will send traffic for the central site and any other branch
> to the hub. The hub will send traffic directed to another branch back up the
> correct spoke.
>
> "Puni" <(E-Mail Removed)> wrote in message
> news:C50FF8D3-3329-4A06-985F-(E-Mail Removed)...
> >> If you can add a static route to each router to also send traffic for
> >> the "other" site through the VPN, it should work. I presume that they all
> >> use 24-bit netmasks.
> >
> > How can I do that?
> >
> > This is what I tried:
> >
> > -Central Router VPN receiver=192.168.0.3->this is where all the vpns
> > connect.
> >
> > -Branch#1 (where I am) router= 192.168.7.1
> >
> > -Branch#2 (other branch) router= 192.168.4.1
> >
> > In 192.168.7.1 I added a static route:
> > Destination address: 192.168.4.0/24 gateway IP address: 192.168.0.3
> >
> > If I traceroute to 192.168.4.1 I can only reach 192.168.7.1 at first step.
> > Nothing else.
> > I can ping 192.168.0.3 without problems from here.
> >
> > What I need is connect from my branch to the other ones. It doesn´t matter
> > if the other ones are connected between themselves.
> > Thanks again!
>
>
>

Glad you found that article. It is talking about the same thing that I
mentioned.

The 192.168.0.0/16 is a bundled route. Because it only has a 16-bit
netmask, it covers every IP address which begins with 192.168 . That means
that every 192.168 address will be sent through the VPN tunnel. That is
what you want to happen at the branch routers. Everything goes to the
central site. If the traffic belongs to another branch, the central site
will send it back through the correct VPN link. The central site has a
24-bit address route to each branch site.

"Puni" <(E-Mail Removed)> wrote in message
news:561095D8-B6B2-4048-A4A3-(E-Mail Removed)...
> Cool, I´ve just found my exact case in a Draytek document:
>
> http://www.draytek.com/support/suppo.../chapter13.pdf
>
> The only difference between that and my setup (and the only thing I cannot
> understand) is the last phrase in the first paragraph of the introduction:
>
> "The subnet of the VPN's configuration of Vigor 3300V
> must fall into 192.168.0.0/16." ????
>
> What does "subnet of the VPN´s configuration" mean? Where does
> 192.168.0.0/16 fit in this case???
>
> My cetral network is 192.168.0.0/24, by the way.
> Hope to find a solution, and thanks a lot for the help Bill, it´s very
> appreciated.
>
> "Bill Grant" wrote:
>
>> You need to know how your routers work before you can alter their
>> behavior.
>>
>> On a branch router there will be a route which sends traffic for the
>> central site through the VPN tunnel. You need to find this route and see
>> what interface this traffic is directed to.
>>
>> When you know how traffic is routed to the central site you can add a
>> similar route to send traffic for another site through the same tunnel by
>> using the same interface address. (You can think of this address as the
>> VPN
>> endpoint.) Or you can alter the route so that includes traffic for the
>> other
>> branches as well as the central site.
>>
>> This is a standard method for routing between sites. It is known as
>> "hub
>> and spoke". Think of your branch connections as spokes linking the
>> branches
>> to the central site (or hub). It is like the hub and spokes of a wheel
>> with
>> no rim. The branches have no connection to each other except through the
>> hub.
>>
>> Each branch will send traffic for the central site and any other
>> branch
>> to the hub. The hub will send traffic directed to another branch back up
>> the
>> correct spoke.
>>
>> "Puni" <(E-Mail Removed)> wrote in message
>> news:C50FF8D3-3329-4A06-985F-(E-Mail Removed)...
>> >> If you can add a static route to each router to also send traffic
>> >> for
>> >> the "other" site through the VPN, it should work. I presume that they
>> >> all
>> >> use 24-bit netmasks.
>> >
>> > How can I do that?
>> >
>> > This is what I tried:
>> >
>> > -Central Router VPN receiver=192.168.0.3->this is where all the vpns
>> > connect.
>> >
>> > -Branch#1 (where I am) router= 192.168.7.1
>> >
>> > -Branch#2 (other branch) router= 192.168.4.1
>> >
>> > In 192.168.7.1 I added a static route:
>> > Destination address: 192.168.4.0/24 gateway IP address: 192.168.0.3
>> >
>> > If I traceroute to 192.168.4.1 I can only reach 192.168.7.1 at first
>> > step.
>> > Nothing else.
>> > I can ping 192.168.0.3 without problems from here.
>> >
>> > What I need is connect from my branch to the other ones. It doesn´t
>> > matter
>> > if the other ones are connected between themselves.
>> > Thanks again!
>>
>>
>>

Great!
Changed mask for VPN connections to 255.255.0.0 and now all the branches
connect between themselves perfectly.

Just 2 things, Bill:

1-Would it be any way to make MY branch connect all the others, but avoid
all the others be connected between themselves in an easy way?
2-Do you have Payal or something? I owe you one ;0)



"Bill Grant" wrote:

> Glad you found that article. It is talking about the same thing that I
> mentioned.
>
> The 192.168.0.0/16 is a bundled route. Because it only has a 16-bit
> netmask, it covers every IP address which begins with 192.168 . That means
> that every 192.168 address will be sent through the VPN tunnel. That is
> what you want to happen at the branch routers. Everything goes to the
> central site. If the traffic belongs to another branch, the central site
> will send it back through the correct VPN link. The central site has a
> 24-bit address route to each branch site.
>
> "Puni" <(E-Mail Removed)> wrote in message
> news:561095D8-B6B2-4048-A4A3-(E-Mail Removed)...
> > Cool, I´ve just found my exact case in a Draytek document:
> >
> > http://www.draytek.com/support/suppo.../chapter13.pdf
> >
> > The only difference between that and my setup (and the only thing I cannot
> > understand) is the last phrase in the first paragraph of the introduction:
> >
> > "The subnet of the VPN's configuration of Vigor 3300V
> > must fall into 192.168.0.0/16." ????
> >
> > What does "subnet of the VPN´s configuration" mean? Where does
> > 192.168.0.0/16 fit in this case???
> >
> > My cetral network is 192.168.0.0/24, by the way.
> > Hope to find a solution, and thanks a lot for the help Bill, it´s very
> > appreciated.
> >
> > "Bill Grant" wrote:
> >
> >> You need to know how your routers work before you can alter their
> >> behavior.
> >>
> >> On a branch router there will be a route which sends traffic for the
> >> central site through the VPN tunnel. You need to find this route and see
> >> what interface this traffic is directed to.
> >>
> >> When you know how traffic is routed to the central site you can add a
> >> similar route to send traffic for another site through the same tunnel by
> >> using the same interface address. (You can think of this address as the
> >> VPN
> >> endpoint.) Or you can alter the route so that includes traffic for the
> >> other
> >> branches as well as the central site.
> >>
> >> This is a standard method for routing between sites. It is known as
> >> "hub
> >> and spoke". Think of your branch connections as spokes linking the
> >> branches
> >> to the central site (or hub). It is like the hub and spokes of a wheel
> >> with
> >> no rim. The branches have no connection to each other except through the
> >> hub.
> >>
> >> Each branch will send traffic for the central site and any other
> >> branch
> >> to the hub. The hub will send traffic directed to another branch back up
> >> the
> >> correct spoke.
> >>
> >> "Puni" <(E-Mail Removed)> wrote in message
> >> news:C50FF8D3-3329-4A06-985F-(E-Mail Removed)...
> >> >> If you can add a static route to each router to also send traffic
> >> >> for
> >> >> the "other" site through the VPN, it should work. I presume that they
> >> >> all
> >> >> use 24-bit netmasks.
> >> >
> >> > How can I do that?
> >> >
> >> > This is what I tried:
> >> >
> >> > -Central Router VPN receiver=192.168.0.3->this is where all the vpns
> >> > connect.
> >> >
> >> > -Branch#1 (where I am) router= 192.168.7.1
> >> >
> >> > -Branch#2 (other branch) router= 192.168.4.1
> >> >
> >> > In 192.168.7.1 I added a static route:
> >> > Destination address: 192.168.4.0/24 gateway IP address: 192.168.0.3
> >> >
> >> > If I traceroute to 192.168.4.1 I can only reach 192.168.7.1 at first
> >> > step.
> >> > Nothing else.
> >> > I can ping 192.168.0.3 without problems from here.
> >> >
> >> > What I need is connect from my branch to the other ones. It doesn´t
> >> > matter
> >> > if the other ones are connected between themselves.
> >> > Thanks again!
> >>
> >>
> >>
>
>
>

Glad to hear you sorted it out. Bundled routes are very useful once you
realise how they operate.

Routing is basically a two-way process. Both the originating machine and
the target need to know how they can reach the other, or routing fails.
Because of this, you can't really use routing to make it a one-way process.

"Puni" <(E-Mail Removed)> wrote in message
news:B844B5E7-1E1B-413F-94DB-(E-Mail Removed)...
> Great!
> Changed mask for VPN connections to 255.255.0.0 and now all the branches
> connect between themselves perfectly.
>
> Just 2 things, Bill:
>
> 1-Would it be any way to make MY branch connect all the others, but avoid
> all the others be connected between themselves in an easy way?
> 2-Do you have Payal or something? I owe you one ;0)
>
>
>
> "Bill Grant" wrote:
>
>> Glad you found that article. It is talking about the same thing that
>> I
>> mentioned.
>>
>> The 192.168.0.0/16 is a bundled route. Because it only has a 16-bit
>> netmask, it covers every IP address which begins with 192.168 . That
>> means
>> that every 192.168 address will be sent through the VPN tunnel. That is
>> what you want to happen at the branch routers. Everything goes to the
>> central site. If the traffic belongs to another branch, the central site
>> will send it back through the correct VPN link. The central site has a
>> 24-bit address route to each branch site.
>>
>> "Puni" <(E-Mail Removed)> wrote in message
>> news:561095D8-B6B2-4048-A4A3-(E-Mail Removed)...
>> > Cool, I´ve just found my exact case in a Draytek document:
>> >
>> > http://www.draytek.com/support/suppo.../chapter13.pdf
>> >
>> > The only difference between that and my setup (and the only thing I
>> > cannot
>> > understand) is the last phrase in the first paragraph of the
>> > introduction:
>> >
>> > "The subnet of the VPN's configuration of Vigor 3300V
>> > must fall into 192.168.0.0/16." ????
>> >
>> > What does "subnet of the VPN´s configuration" mean? Where does
>> > 192.168.0.0/16 fit in this case???
>> >
>> > My cetral network is 192.168.0.0/24, by the way.
>> > Hope to find a solution, and thanks a lot for the help Bill, it´s very
>> > appreciated.
>> >
>> > "Bill Grant" wrote:
>> >
>> >> You need to know how your routers work before you can alter their
>> >> behavior.
>> >>
>> >> On a branch router there will be a route which sends traffic for
>> >> the
>> >> central site through the VPN tunnel. You need to find this route and
>> >> see
>> >> what interface this traffic is directed to.
>> >>
>> >> When you know how traffic is routed to the central site you can
>> >> add a
>> >> similar route to send traffic for another site through the same tunnel
>> >> by
>> >> using the same interface address. (You can think of this address as
>> >> the
>> >> VPN
>> >> endpoint.) Or you can alter the route so that includes traffic for the
>> >> other
>> >> branches as well as the central site.
>> >>
>> >> This is a standard method for routing between sites. It is known
>> >> as
>> >> "hub
>> >> and spoke". Think of your branch connections as spokes linking the
>> >> branches
>> >> to the central site (or hub). It is like the hub and spokes of a wheel
>> >> with
>> >> no rim. The branches have no connection to each other except through
>> >> the
>> >> hub.
>> >>
>> >> Each branch will send traffic for the central site and any other
>> >> branch
>> >> to the hub. The hub will send traffic directed to another branch back
>> >> up
>> >> the
>> >> correct spoke.
>> >>
>> >> "Puni" <(E-Mail Removed)> wrote in message
>> >> news:C50FF8D3-3329-4A06-985F-(E-Mail Removed)...
>> >> >> If you can add a static route to each router to also send
>> >> >> traffic
>> >> >> for
>> >> >> the "other" site through the VPN, it should work. I presume that
>> >> >> they
>> >> >> all
>> >> >> use 24-bit netmasks.
>> >> >
>> >> > How can I do that?
>> >> >
>> >> > This is what I tried:
>> >> >
>> >> > -Central Router VPN receiver=192.168.0.3->this is where all the vpns
>> >> > connect.
>> >> >
>> >> > -Branch#1 (where I am) router= 192.168.7.1
>> >> >
>> >> > -Branch#2 (other branch) router= 192.168.4.1
>> >> >
>> >> > In 192.168.7.1 I added a static route:
>> >> > Destination address: 192.168.4.0/24 gateway IP address: 192.168.0.3
>> >> >
>> >> > If I traceroute to 192.168.4.1 I can only reach 192.168.7.1 at first
>> >> > step.
>> >> > Nothing else.
>> >> > I can ping 192.168.0.3 without problems from here.
>> >> >
>> >> > What I need is connect from my branch to the other ones. It doesn´t
>> >> > matter
>> >> > if the other ones are connected between themselves.
>> >> > Thanks again!
>> >>
>> >>
>> >>
>>
>>
>>