2

This is my first time posting here so please be gentle. The title describes my problem, I will outline the setup:

I have a site to site bidirectional VPN tunnel set up in two offices 100 miles apart. Site A is running a Watchguard Firebox x20e, Site B runs a Cisco ASA 5500 (or something of that sort.)

I have successfully set up the tunnel between the two of them so that when you are in either internal network you can ping and access the opposite network.

However, when I VPN into either of them completely offsite (from home, for example) I cannot see the opposite network but I am able to see the internal network I am VPN'ed to without issue.

Charles
  • 23
  • 1
  • 6

3 Answers3

3

The problem could be two things...possibly both.

Routing issue: If your vpn subnet is different than the site you're VPNed to you'll need to tell the device at site b to route traffic back to site a for that subnet.

Firewall issue: Just like the routes the traffic needs to be allowed.

3dinfluence
  • 12,449
  • 2
  • 28
  • 41
  • So we're on the same page, this is the info for both networks that are tunneled: Site A: IP: 63.133.XXX.XXX Internal: 192.168.10.0/24 Router's IP: 192.168.10.1/24 Site B: External IP: 24.227.XXX.XXX Internal: 192.168.0.0/24 Router's IP: 192.168.0.1/24 – Charles Jun 30 '09 at 01:36
  • What subnet are the VPN clients on? – 3dinfluence Jun 30 '09 at 01:45
  • 1
    Lets say the VPN Clients are connecting to site A and are on the 192.168.5.0/24 subnet. Then you would need to push two routes to the vpn client for 192.168.0.0/24 and 192.168.10.0/24 with the gateway of 192.168.5.1 Then both routers would have to know where to route the traffic that belongs to 192.168.5.0/24. In addition to that your firewall rules have to allow traffic from 192.168.10.0/24 and 192.168.0.0/24. – 3dinfluence Jun 30 '09 at 02:01
  • There are a couple of other issues things to take into account. If your local network at your house is 192.168.0.0/24 or 192.168.10.0/24 then things can get a bit trickier. This is a likely situation given the subnet that site b is using in particular. There are solutions to that problem using NATing. I'm not familiar with the equipment that you're running but you may need to setup a VPN Concentrator. Also called hub and spoke configuration. – 3dinfluence Jun 30 '09 at 02:13
1

You have to setup the routers to allow the traffic from the VPN Subnet to pass though the tunnel.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
1

VPN to site A, open a command prompt and type:

tracert -d 192.168.0.2

You see a list of all the routers the traffic passes through it it's attempt to reach site B (this takes a while to build up). The first hop should be 192.168.10.1 i.e. the router at site A. If the first hop is to your PCs usual default gateway then you need to modify the routing rules on your PC. If the first hop is 192.168.10.1 but the remaining hops time out then you need to modify the router configs.

To expand a bit (bear with me if you already know this stuff!), let's say your PC has IP address 192.168.16.2 and default gateway 192.168.16.1 (you can type ipconfig to get this info). When you ping any address that isn't 192.168.16.xxx the traffic gets routed to your gateway 192.168.1.1.

When you connect the VPN you'll probably get a second IP address 192.168.10.something; in effect the VPN creates a second network card. If you ping 192.168.10.1 (i.e. site A router) this is now a local address so no gateways are involved and the site A router should reply. Now ping 192.168.0.1 (site B router). This address isn't in the local networks for either your real NIC (192.168.16.xxx) or the VPN virtual NIC (192.168.10.xxx) so the packet will go to the default gateway, 192.168.16.1. The default gateway is presumably your ADSL router, so the packet disappear into the Internet and be lost. Hence you can't ping site B.

Now, some VPNs change the default gateway when you connect. In that case the default gateway would be 192.168.10.something so when you ping 192.168.0.xxx the packet should flow through the VPN and you should be able to ping site B.

I seem to have ranted on a bit, however the point is that tracert will quickly tell you where your pings to site B are going and give you a clue as to what's wrong.

JR

John Rennie
  • 7,776
  • 1
  • 23
  • 35
  • Thanks, John. I did a tracert to the network my home computer is NOT VPN'd directly to and the first hop is my home network's router. Is there anyway around modifying the routing rules? I want to make this as easy as just connecting to the VPN and having access to both networks for more than just me. – Charles Jul 01 '09 at 01:01
  • Actually I just found out how to mess with the routing table, it's one or two lines that I can walk anyone through. Thanks John, you are a savior! – Charles Jul 01 '09 at 01:13