1

I have a main router (10.20.0.1 (lan), 10.20.201.1 (vpn server)) connected to 5 other GW via VPN. Every gateway can ping every other one, and the PC behind them. One of my router, 10.20.6.1 (lan), 10.20.201.5 (vpn), has access to another network (10.10.10.x) and I want to give all my network access to it.

On the main router I added a route:

10.10.0.0 netmask 255.255.0.0 gw 10.20.201.5

when I run a traceroute, I don't even have a first hop. If I remove the route, the first hop is internet (which is the default). I can ping 10.20.201.5 and everything behind it. On the remote router, I don't see any icmp packet from 10.20.0.1 while pinging a host on the 10.10.x.x network. THe remote router can ping the 10.10.x.x network and access it whitout issues.

Sirber
  • 328
  • 5
  • 18

1 Answers1

2

Focusing on just the main router and the remote 10.10.x.x:

You'll need (assuming straight VPN tunnels between the routers and not a managed network in the middle):

  • route on main router to 10.10.0.0 (possibly like you did)
  • possible tunnel rule on the main router to tunnel the traffic (not sure how your VPN is setup, route based, policy based, etc.) destined from 10.20.0.0 network to 10.10.0.0 network.
  • return route on the 10.10.0.0 network. That network needs to know where your 10.20.0.1 network is and how to get there. So it will need routes and possibly rules/policies to send traffic from 10.10.0.0 through the router on 10.20.6.1 across the VPN tunnel that goes back to your main router.

You would need to have at least some understanding though of your routers and VPN tunnels and how they are configured and what commands to run to accomplish the above.

There may even be things beyond what I've mentioned. without knowing your network and the configs involved, it is a difficult thing to answer outright.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • did all the routes, but the second router does not recveive the ping requests sent from the main router when asking 10.10.10.3, for exemple, even if the route is there. – Sirber Nov 25 '13 at 21:05
  • Does your main router show the traffic leaving out the tunnel destined for the 2nd router in a debug trace? – TheCleaner Nov 25 '13 at 21:34
  • yes (good idea to check) on tun0 `16:36:45.821928 IP 10.20.201.1 > 10.10.10.3: ICMP echo request, id 10989, seq 0, length 64` , but no returns – Sirber Nov 25 '13 at 21:37
  • Do you have full debug? Meaning you should be able to see more than just that entry (since it doesn't tell much). Actual lines that show the session and it actually traversing the tunnel out the right WAN interface, etc. You should also be able to see incoming traffic on the remote router, even if it gets dropped immediately. You'll have to debug it to make sure the setup is right. If it truly is leaving your router across the tunnel interface you should see at a minimum the traffic arrive at the remote router. – TheCleaner Nov 25 '13 at 22:16
  • That's the wierd part, on the remote router I don't receive any ICMP (on tun0) when I ping 10.10.10.3, but if I ping something on 10.20 I get them. – Sirber Nov 26 '13 at 15:15
  • I'll try a new router soon, there's no logical explanation why it'S not working... – Sirber Nov 26 '13 at 15:51
  • Well, again, I'd pretty much have to be there. Can you bring in someone to assist locally? I would setup full debug traces on both ends, start a ping, and then watch the traffic flow. Can the OEM support assist? – TheCleaner Nov 26 '13 at 16:11