iamnotherbert
Programmer
We recently installed a DrayTek Vigor 2930n Dual-WAN router in order to support failover between multiple ISPs. We're trying to convert from a Netopia 3386-ENT. Unfortunately, the DrayTek's IPSec support falls short(*) of the Netopia's. Thus, we're going to need to leave the Netopia router in service as a VPN gateway for our various IPSec LAN-to-LAN tunnels.
Given this, I would like to setup the DrayTek as the primary gateway on the subnet, handling the basic Internet traffic. Then, I would like to re-route to the Netopia any traffic that is specific to one of the VPN connections hosted by the Netopia. Unfortunately, this didn't work when I set this up. I created static routes on the DrayTek for all VPN related subnets, and made all workstations use the DrayTek as the default gateway. Ping requests destined for the VPN that were routed to the Netopia via the DrayTek failed. If I setup a static route on the workstation to route the VPN packets directly to the Netopia, bypassing the DrayTek, the Ping requests were successful. Although successful, I'd rather avoid this, as this means manually propagating static routes across all workstations/servers that need to route traffic over the VPN.
Thus, my question...is it a basic rule of an IPSec tunnel to not allow in packets that have been re-routed within the internal subnet? Or is it more likely that I screwed up a configuration somewhere?
(*) Where it falls short is that the DrayTek does not support the ability to setup a single PAT address for all traffic that flows over a VPN Tunnel. We use a single PAT address to better enable hosts on the remote side of the VPN tunnel to access services on our local LAN.
Given this, I would like to setup the DrayTek as the primary gateway on the subnet, handling the basic Internet traffic. Then, I would like to re-route to the Netopia any traffic that is specific to one of the VPN connections hosted by the Netopia. Unfortunately, this didn't work when I set this up. I created static routes on the DrayTek for all VPN related subnets, and made all workstations use the DrayTek as the default gateway. Ping requests destined for the VPN that were routed to the Netopia via the DrayTek failed. If I setup a static route on the workstation to route the VPN packets directly to the Netopia, bypassing the DrayTek, the Ping requests were successful. Although successful, I'd rather avoid this, as this means manually propagating static routes across all workstations/servers that need to route traffic over the VPN.
Thus, my question...is it a basic rule of an IPSec tunnel to not allow in packets that have been re-routed within the internal subnet? Or is it more likely that I screwed up a configuration somewhere?
(*) Where it falls short is that the DrayTek does not support the ability to setup a single PAT address for all traffic that flows over a VPN Tunnel. We use a single PAT address to better enable hosts on the remote side of the VPN tunnel to access services on our local LAN.