2

We have a series of remote sites connecting to our main site using site-to-site VPN over Cisco 5505s. Every remote site works fine, except one. What is unique about the failing one is that its IP configuration is, at least to me, unusual. The configuration is:

IP 172.130.40.18 (not the actual IP address)
Subnet 255.255.255.255
Gateway 1.64.32.46

Because the gateway is not on the same subnet as the IP, the Cisco TAC has told us that the VPN connection cannot be configured as is, and they have requested that we get the ISP to configure the connection information differently. Thus far, the ISP has not done anything to help us out.

Is there anything we can do short of finding an ISP that is more cooperative? We do have internet to the ISP's router (using PPPoE), but it is useless to us if we cannot configure the VPN.

Frustrated User
  • 21
  • 1
  • Will quote a well writted sentence. "Another way of approaching this question is: if you can't reach your default-gateway router on a local network, how do you send packets through it? You'd have to send them through another router." from http://unix.stackexchange.com/questions/98344/does-the-gateway-have-to-be-on-the-subnet That lead me to think, does your ISP leased you a modem that act as a router, not just a bridge – yagmoth555 Aug 21 '15 at 19:28
  • Yes, the ISP has leased the site a modem that is acting as a router. – Frustrated User Aug 21 '15 at 19:58
  • You cant do a tunnel if you double nat, even with your gateway problem, the modem must be in bridge mode, must, else the tunnel will fail anyway – yagmoth555 Aug 21 '15 at 20:14
  • For what it's worth, the site is using a TRG212M, which is a device with which I have little familiarity. It appears to be serving DHCP addresses on the site, as well as having a static address connecting to a 24-port switch where the main server resides. From what limited documentation I can find, there appears to be no way to put this device into bridge mode. – Frustrated User Aug 21 '15 at 21:04
  • Only your isp can swiitch it – yagmoth555 Aug 21 '15 at 22:52

1 Answers1

0

Regardless of where the ISP routing function is situated, in local or remote equipment, it cannot function as a router without an L3 address space to contain other nodes in addition to itself. Bridging (aka L2) just places the L3 routing function farther away, but the L3 space must still be congruent with both the router and your gateway node.

So, if the ISP does not give you a subnet which contains both your node IP address as well as their routers address and really refuses to see reason, you should consider switching ISP.

However, possibly you were unlucky in getting hold of a person of lesser insight at the other end whilst their real technicians are on vacation (or similar). You could do a quick and dirty test of comparing the router address and the node address which they have specified and calculate which subnet mask would permit these two addresses on the same subnet. Just try it and see what happens.

ErikE
  • 4,746
  • 1
  • 20
  • 27