cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5491
Views
0
Helpful
8
Replies

Create static routes over VPN with RVS4000?

jclendenan-obsv
Level 1
Level 1

Hi,

I've got an RVS4000 at a remote site where I need to route a pair of subnets to our primary office location through the VPN interface.

I have the link up and running, and can ping from a system in the remote site to one our primary site's networks, but I am unable to add a route to the VPN router to connect to the other network behind that. All the networks are using class C addressing currently.

Pings generated on the router produce a no route to host, and when I try to add the route it states that the network is unreachable.

Network layout is as follows:

Remote site

|

|

RVS4000

|

|

Internet

|

|

Firewall (watchguard firbox X series)

|

|

DMZ network (172...)

|

|

Router

|

|

Internal network ( ...25...)

We currently have a whole bunch of road warriors who are working fine, and they just have 2 static routes added to their config, so I know this "should" be possible to do.

Thanks in advance.

James

8 Replies 8

David Carr
Level 6
Level 6

You will not be able to create a static route to a network behind the remote network your connecting to.  There is not a virtual interface that you can assign a static route to, that will allow you to route traffic through the tunnel.

Hi David,

Thanks for the reply, we were expecting that this product was able to do this, as we have purchased several of them for our network.

So I take it as an alternative to route multiple networks, I'll have to use seporate tunnels? one for each network we need to interconnect?

Are there any plans to actually make this work? How do others solve this type of problem?

James

The only other way you could make it work is if you connected a tunnel to the network behind the network you are already connected to.  I have had customers have to get a enterprise router to allow a static route through the vpn tunnel since these will not allow the capability for that.  That is really all I can think of as a resolution.

okiepilgrim
Level 1
Level 1

I think we have a similar scenario and I want to be sure what you're saying here David.

We have a "central" office and 2 "branch" offices in a configuration like this:

Branch A  (192.168.2.0/24)

|

|  vpn connection over internet

|

Central Office  (192.168.1.0/24)

|

| vpn connection over internet

|

Branch B (192.168.3.0/24)

All routers are RVS4000s.  From the Central Office (CO) I can connect to both the Branch A (BA) network and the Branch B (BB) network.  However, from Branch A, I am not able to connect to Branch B and when I attempt to create static routes, I receive the same message as James "Network is unreachable".

So are you saying that with your VPN ROUTER (repeat VPN ROUTER), I am unable to route traffic between BA and BB over my existing tunnels?

Thanks,

Blake

Why not adding a site-to-site tunnel between the 2 branch offices?

This suggestion has been made in other posts and would work, but the reality is that I gave a simplified version of the connections.  Basically, as a consultant, I sometimes connect a tunnel from my (separate/additional) network behind a WRVS4400N to the central office and also occasionally need to connect to the remote offices.  So now I need a tunnel between the 2 branches and a tunnel between my office and all three branches.  Not only is this a pain, but it doesn't take long to max out the 5 VPN definitions allowed and I certainly don't want to be deleting / re-creating tunnels every time I need to connect for 5 minutes to a client's remote branch.  The ability to route traffic beyond a single network doesn't seem like advanced functionality to me.  But maybe I'm missing something.

Thanks for the suggestion though - it would be the easy fix.

Blake

We also had a similar problem during a recent move.  We ended up using a more advanced router product for doing a full mesh vpn solution, and then used the RVS's for single office connections with only a few users.

As for using multiple subnets, the RSV's ipsec SA is tied very specificly to it's identity proxy so you'll have to create one vpn tunnel for each subnet you wish to transport.

One trick might be to use a higher value cidr range to push a whole subnet over the link.. However I had problems with this as my branch office was also using a part of the range i wished to push back to the Central office.

If anyone else is using a juniper, remember to set the ipsec identity proxy or the Linksys will complain bitterly and not bring up the link.

PS.

Termial services at our central site generally worked around the IT management issues, as users didn't have any reason to jump betweeen the offices in our site.

James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: