Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN/Routing problem, site-to-site link
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN/Routing problem, site-to-site link - 29.Sep.2008 9:27:23 AM
|
|
|
hottsm
Posts: 5
Joined: 2.Mar.2006
Status: offline
|
Hello Experts 
I’m trying to get a Draytek Vigor 2950 VPN-router to connect to a ISA Server 2004 SP3 firewall, using a IPSec Tunnel Mode site-to-site link.
The VPN connection seems OK, but something is not right and I think it is some kind of routing problem.
This is our scenario:
Branch Network: 192.168.10.0/24
Draytek Router LAN IP: 192.168.10.1
Client IP: 192.168.10.10 (DCHP from Draytek – Draytek is default gateway).
Main Network: 10.1.0.0/16
Default Gateway (Cisco Router): 10.1.0.1 (<- MPLS connection via ISP to 3 other 10.x.0.0/16 networks)
ISA has 3 NIC’s:
LAN: 10.1.0.10
WAN: PublicIP_A (<- Internet Access)
PUB: PublicIP_B (<- Public Routable Subnet behind PublicIP_A)
All client computers in the Main Network has a default route pointing to Default Gateway on IP 10.1.0.1 (so they can reach hosts in the MPLS).
The Default Gateway itself has a default route pointing to 10.1.0.10 (the ISA Server).
The ISA server has static routes to the MPLS networks pointing to the Default Gateway. ISA’s default route is the Internet.
The VPN tunnel is established correctly (I think) – hosts on the LAN can ping host on the Branch Network and vice versa.
The Draytek Router has the VPN tunnel as it’s default route. So all traffic except for the Branch Network itself is sent through the tunnel.
The Problem:
The problem is that the Branch Network cannot reach hosts on the PUB network or any of the other MPLS networks or vice versa. The Branch Network cannot access the Internet either.
On the ISA, the “PUB<->Branch Network” relationship is the same as the “LAN<->Branch Network” relationship: They are governed by the same Policy (allow all in both directions) and Network Rules (route-relationship, except NAT for External).
When ping operations are started i.e. from a host on the PUB network, pinging Client IP 192.168.10.10, the traffic is *allowed* by the ISA – it is logged as accepted by the rule! But there is no replies on the pings. This is the same problem from any of the MPLS networks to the Branch Network. Also vice versa: The traffic is logged as accepted, but no pings are returned.
What I do not understand is that ping between LAN and Branch Network is working and is logged by the same rule as the PUB and MPLS that does not work.
So in other words: Branch Office can only ping LAN (and vice versa). All other networks can ping each other fine.
Any help is greatly appreciated.
|
|
|
|
|
RE: VPN/Routing problem, site-to-site link - 15.Oct.2008 10:56:00 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Side note first.
Your subnets are too large. Masks should never be less than /24 bits for a subnet definition. Lesser bit masks are used in route tables to keep route table more efficient and is typically seen in supernetting over backbones.
Subnets should never be over 250-300 Hosts, which the /24 mask does perfectly at 254 hosts. Ethernet efficiency starts to nose-dive after that point. You are not ever going to have 65534 hosts (/16) on one subnet, you are wasting addresses like crazy and eventually will get bit in the rear end by address conflicts with other future networks you may have to connect to because of excessive overlap.
quote:
The VPN tunnel is established correctly (I think) – hosts on the LAN can ping host on the Branch Network and vice versa.
Then the VPN is fine.
quote:
All client computers in the Main Network has a default route pointing to Default Gateway on IP 10.1.0.1 (so they can reach hosts in the MPLS).
The Default Gateway itself has a default route pointing to 10.1.0.10 (the ISA Server).
The ISA server has static routes to the MPLS networks pointing to the Default Gateway. ISA’s default route is the Internet.
The Static Route can't point to ISA's Default Gateway,...it has to point to 10.1.0.1. That may be what you meant but it needs to be clarified.
quote:
The problem is that the Branch Network cannot reach hosts on the PUB network or any of the other MPLS networks or vice versa. The Branch Network cannot access the Internet either.
On the ISA, the “PUB<->Branch Network” relationship is the same as the “LAN<->Branch Network” relationship: They are governed by the same Policy (allow all in both directions) and Network Rules (route-relationship, except NAT for External).
ISA's Internal Network Definition is missing the IP Ranges of the MPLS Networks. They along with the main LAN are all considered to be part of Internal.
Don't know what to tell you about "Pub".
Don't know what to tell you about Branch not getting to the Internet.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: VPN/Routing problem, site-to-site link - 15.Oct.2008 1:11:42 PM
|
|
|
hottsm
Posts: 5
Joined: 2.Mar.2006
Status: offline
|
Thank you very much for your reply!
quote:
ORIGINAL: pwindell
Side note first.
Your subnets are too large. Masks should never be less than /24 bits for a subnet definition. Lesser bit masks are used in route tables to keep route table more efficient and is typically seen in supernetting over backbones.
Subnets should never be over 250-300 Hosts, which the /24 mask does perfectly at 254 hosts. Ethernet efficiency starts to nose-dive after that point. You are not ever going to have 65534 hosts (/16) on one subnet, you are wasting addresses like crazy and eventually will get bit in the rear end by address conflicts with other future networks you may have to connect to because of excessive overlap.
Noted - thank you for your insights. I just might redo some of this later.
Do you think this has anything to do with my current problem?
quote:
quote:
The VPN tunnel is established correctly (I think) – hosts on the LAN can ping host on the Branch Network and vice versa.
Then the VPN is fine.
I believe so.
quote:
quote:
All client computers in the Main Network has a default route pointing to Default Gateway on IP 10.1.0.1 (so they can reach hosts in the MPLS).
The Default Gateway itself has a default route pointing to 10.1.0.10 (the ISA Server).
The ISA server has static routes to the MPLS networks pointing to the Default Gateway. ISA's default route is the Internet.
The Static Route can't point to ISA's Default Gateway,...it has to point to 10.1.0.1. That may be what you meant but it needs to be clarified.
It does point to 10.1.0.1 - that was what i meant.
quote:
quote:
The problem is that the Branch Network cannot reach hosts on the PUB network or any of the other MPLS networks or vice versa. The Branch Network cannot access the Internet either.
On the ISA, the "PUB<->Branch Network” relationship is the same as the "LAN<->Branch Network” relationship: They are governed by the same Policy (allow all in both directions) and Network Rules (route-relationship, except NAT for External).
ISA's Internal Network Definition is missing the IP Ranges of the MPLS Networks. They along with the main LAN are all considered to be part of Internal.
The Internal Network Definition actually does contain all adresses in the MPLS as well as the LAN.
quote:
Don't know what to tell you about "Pub".
Don't know what to tell you about Branch not getting to the Internet.
Well - that is my main problem :-)
|
|
|
|
|
RE: VPN/Routing problem, site-to-site link - 15.Oct.2008 2:19:02 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
quote:
quote:
Don't know what to tell you about "Pub".
Don't know what to tell you about Branch not getting to the Internet.
Well - that is my main problem :-)
Ok, well there isn't anything that really jumps out at me for a cause. I'm sure it would be easier if I was there of course, but from just reading descriptions I'm not seeing anything wrong.
Maybe the Draytech device may have some kind of limitation where it will only communicate with the subnet that it directly Tunnels to,..but nothing beyond that. There are situations like that, particularly with remote Access VPN. You may want to call Support for that device and see what they think. If anything, maybe they can narrow it all down to something that I might recognize and be able to suggest something.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: VPN/Routing problem, site-to-site link - 15.Oct.2008 3:04:21 PM
|
|
|
hottsm
Posts: 5
Joined: 2.Mar.2006
Status: offline
|
quote:
ORIGINAL: pwindell
quote:
quote:
Don't know what to tell you about "Pub".
Don't know what to tell you about Branch not getting to the Internet.
Well - that is my main problem :-)
Ok, well there isn't anything that really jumps out at me for a cause. I'm sure it would be easier if I was there of course, but from just reading descriptions I'm not seeing anything wrong.
Maybe the Draytech device may have some kind of limitation where it will only communicate with the subnet that it directly Tunnels to,..but nothing beyond that. There are situations like that, particularly with remote Access VPN. You may want to call Support for that device and see what they think. If anything, maybe they can narrow it all down to something that I might recognize and be able to suggest something.
OK - thank you for your time and suggestions. I'll write again if something relevant happens...
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
