Create static routes over VPN with RVS4000?

Unanswered Question
Oct 5th, 2009
User Badges:

Hi,


I've got an RVS4000 at a remote site where I need to route a pair of subnets to our primary office location through the VPN interface.


I have the link up and running, and can ping from a system in the remote site to one our primary site's networks, but I am unable to add a route to the VPN router to connect to the other network behind that. All the networks are using class C addressing currently.


Pings generated on the router produce a no route to host, and when I try to add the route it states that the network is unreachable.


Network layout is as follows:


Remote site

|

|

RVS4000

|

|

Internet

|

|

Firewall (watchguard firbox X series)

|

|

DMZ network (172...)

|

|

Router

|

|

Internal network ( ...25...)



We currently have a whole bunch of road warriors who are working fine, and they just have 2 static routes added to their config, so I know this "should" be possible to do.


Thanks in advance.


James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Carr Mon, 10/05/2009 - 13:02
User Badges:
  • Silver, 250 points or more

You will not be able to create a static route to a network behind the remote network your connecting to.  There is not a virtual interface that you can assign a static route to, that will allow you to route traffic through the tunnel.

jclendenan-obsv Mon, 10/05/2009 - 13:28
User Badges:

Hi David,


Thanks for the reply, we were expecting that this product was able to do this, as we have purchased several of them for our network.


So I take it as an alternative to route multiple networks, I'll have to use seporate tunnels? one for each network we need to interconnect?


Are there any plans to actually make this work? How do others solve this type of problem?


James

David Carr Mon, 10/05/2009 - 13:57
User Badges:
  • Silver, 250 points or more

The only other way you could make it work is if you connected a tunnel to the network behind the network you are already connected to.  I have had customers have to get a enterprise router to allow a static route through the vpn tunnel since these will not allow the capability for that.  That is really all I can think of as a resolution.

okiepilgrim Thu, 12/03/2009 - 11:41
User Badges:

I think we have a similar scenario and I want to be sure what you're saying here David.


We have a "central" office and 2 "branch" offices in a configuration like this:


Branch A  (192.168.2.0/24)

|

|  vpn connection over internet

|

Central Office  (192.168.1.0/24)

|

| vpn connection over internet

|

Branch B (192.168.3.0/24)


All routers are RVS4000s.  From the Central Office (CO) I can connect to both the Branch A (BA) network and the Branch B (BB) network.  However, from Branch A, I am not able to connect to Branch B and when I attempt to create static routes, I receive the same message as James "Network is unreachable".


So are you saying that with your VPN ROUTER (repeat VPN ROUTER), I am unable to route traffic between BA and BB over my existing tunnels?


Thanks,


Blake

Te-Kai Liu Thu, 12/03/2009 - 12:22
User Badges:
  • Gold, 750 points or more

Why not adding a site-to-site tunnel between the 2 branch offices?

okiepilgrim Thu, 12/03/2009 - 12:57
User Badges:

This suggestion has been made in other posts and would work, but the reality is that I gave a simplified version of the connections.  Basically, as a consultant, I sometimes connect a tunnel from my (separate/additional) network behind a WRVS4400N to the central office and also occasionally need to connect to the remote offices.  So now I need a tunnel between the 2 branches and a tunnel between my office and all three branches.  Not only is this a pain, but it doesn't take long to max out the 5 VPN definitions allowed and I certainly don't want to be deleting / re-creating tunnels every time I need to connect for 5 minutes to a client's remote branch.  The ability to route traffic beyond a single network doesn't seem like advanced functionality to me.  But maybe I'm missing something.


Thanks for the suggestion though - it would be the easy fix.


Blake

jclendenan-obsv Thu, 12/03/2009 - 13:42
User Badges:

We also had a similar problem during a recent move.  We ended up using a more advanced router product for doing a full mesh vpn solution, and then used the RVS's for single office connections with only a few users.


As for using multiple subnets, the RSV's ipsec SA is tied very specificly to it's identity proxy so you'll have to create one vpn tunnel for each subnet you wish to transport.


One trick might be to use a higher value cidr range to push a whole subnet over the link.. However I had problems with this as my branch office was also using a part of the range i wished to push back to the Central office.


If anyone else is using a juniper, remember to set the ipsec identity proxy or the Linksys will complain bitterly and not bring up the link.

jclendenan-obsv Thu, 12/03/2009 - 13:44
User Badges:

PS.


Termial services at our central site generally worked around the IT management issues, as users didn't have any reason to jump betweeen the offices in our site.


James