2 VPN Tunnels using FVS318v3, endpoints cannot "see" each other

[pellet]

Hello everyone,

I have a Netgear FVS318v3 router that I have created 2 separate VPN tunnels with. I will try to lay out the networks below:

Segment A: 172.21.6.0 network (application server)
Segment B: 192.168.127.0 network (FVS318v3)
Segment C: 192.168.126.0 network (remote client)

Segment A has a server with an application on it that Segment C needs access to. Segment B has a VPN tunnel established to Segment A and Segment C. There is no server for Segment B or Segment C and the router for Segment B is set up to provide DHCP.

I do not have access to Segment A's firewall. It is controlled by a vendor that I worked with to get the VPN tunnel established between Segment A and Segment B. I can ping Segment A from Segment B.

Segment C is a remote laptop client using Netgear's ProSafe VPN Client. In the ProSafe VPN client, I was able to set up a virtual IP address of 192.168.126.50 (because it cannot be on the same segment as Segment B). I can establish VPN connection between Segment C and Segment B. Segment C can ping the internal address of Segment B's Netgear router and it can ping computers inside the 192.168.127.0 network. The Netgear router can ping Segment C's virtual IP address of 192.168.126.50. Segment B's Netgear router can ping Segment A's gateway and server that holds the application needed by Segment C (the 172.21.6.0 network). The problem is, Segment C cannot ping Segment A...

I have set up several static routes listed below:

Destination: 192.168.127.0 Gateway: 192.168.126.50 Metric 2
Destination: 192.168.136.50 Gateway: 192.168.127.100 Metric 2
Destination: 172.21.6.0 Gateway: 172.21.6.1 Metric 2

It seems that no matter how I try to set up a static route from Segment C to Segment A, I cannot get them to communicate.

If anyone has any ideas on how to fix this or what I am doing wrong / overlooking, please feel free to let me know. I am at my wits end and I have been working on this for a few days now.

Thanks in advance,
Pellet

 

[jimbopalmer]

I have no idea if you will need access to the router you do not have access to but here goes.

I bet 172.21.6.x is allowed to see 192.167.127.x with a subnet mask of 255.255.255.0, (or /24) this allows clients from 192.168.127.1 to 192.168.127.254 to see into the 172.21.6.x subnet. You want a mask of 255.255.0.0 (or /16) this would allow 192.168.0.1 to 192.168.255.254 to see into 172.21.6.x.

That would include your 192.168.126.x client, which your current mask does not.

If the subnet 172.21.6.x has other VPN peers, this greedy approach will not work as I grabbed all of the 192.168.x.x range. Someone with a good subnet calculator could tell you the smallest mask that would work.



I tried to remain child-like, all I acheived was childish.

 

[pellet]

Thanks for the reply Jimbopalmer,

The admin for the 172.21.6.0 network won't give access to 192.168.0.0 network because he has multiple networks accessing the server.

I did talk to him before and he said he granted access to the network for the 192.168.127.0 network and the 192.168.126.0 network... I don't know if the issue is the virtual IP on the client computer is 192.168.126.50 with a virtual netmask is 255.255.255.255 - but I did try to set up the network at 192.168.0.0 but I could not get a VPN connection.

Any other ideas?

Thanks again for the reply.