Linksys VPN and Routing - strange results 1

[rpaverd]

My challenge is that we need to access a secure web page from clients on Subnet A connecting through our VPN to subnet B.

Subnet B clients access the secure web site through a T1 connection and NOT through the Linksys VPN router.

The VPN is set up and working cleanly, however, from subnet A I can only ping the VPN router and one other client on subnet B. I have no idea why I can ping only the one client! There are apprroximately 15 clients on Subnet B.

It is apparent that we need to set up routing between the subnets, but I am uncertain if this will actually resolve the issue (we are not interested in accessing resources on subnet B, we just want access to the secure website)

I have set up a route to subnet B on the VPN router at subnet A without any effect. I suspect that it is because the primary gateway for all devices is the T1 router...?

Any suggestions as to how I can solve this (By the way, the T1 router is provided by an external corporation, so we do not have the immediate ability to add routes on this device...)

 

[ChicagoTechNet]

we need more information. what are the both ip ranges? posting routing table here may help.

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[rpaverd]

Subnet A is 10.22.171.0
Subnet B is 10.40.232.0 both subnet masks 255.255.255.0

Routing table on VPN router at Subnet A is as follows
0.0.0.0 0.0.0.0 141.151.58.15 1 WAN
10.40.232.0 255.255.255.0 10.40.232.201 1 LAN
10.22.171.0 255.255.255.0 0.0.0.0 1 LAN
141.151.58.0 255.255.255.0 0.0.0.0 1 WAN

VPN router address on Subnet B is (obviously?) 10.40.232.201

Appreciate any input

Richard

 

[markku]

I assume secure website is in subnet B

No routing necessary, VPN-routers (BEFVP41/BEFSX41?) do route between subnets automatically.

" I suspect that it is because the primary gateway for all devices is the T1 router...? "

This is the reason for your problem, poor packets arriving thru VPN are routed to your T1 instead of sending them back to the tunnel.

You can either add a second IP/gateway(=Linky LAN IP) to your server. It can be in other subnet as well, like 192.168.x.x. This prevents clients in subnet A accessing any other resources in your LAN than website.

Best solution is to add a static route to your T1 router as follows:

10.22.171.0 / 255.255.255.0 GW LAN 10.40.232.201

 

[rpaverd]

Correct; secure website is accessed through the T1 router on Subnet B

If the VPN connection performs the routes automatically, I should be able to ping the devices on subnet B and get a response? And all devices on Subnet B should be able to ping devices on subnet A - which is not occurring....

If I read your suggestions correctly, the options are:
EITHER add a second Linksys router in Subnet B (configured with the T1 router as it's gateway, effectively performing NAT) OR add the static route to the T1 router (which may be impossible as we have no control over it...).

I have no problem ith the first option, hoever I do not want to travel the couple of hundred miles to install the second router in subnet B if we cannot access it from Subnet A (as is currently the situation with all (most) of the other devices....)

All suggestions gladly welcomed. I do currently have the VPN router at Subnet B configured as a router (RIP1) rather than a gateway, but it appears to make no difference when I made the change.

Many thanks for the sugestions so far

Richard

 

[markku]

Do you have two Linkys performing VPN between A and B?

Routers should be in gateway-mode.

I did say that you can EITHER add a second IP/Gateway to the network card of your webserver OR add the static route to your main gateway.

 

[John Lewis]

I'm not sure, but I think perhaps there is some misunderstanding about what you need to do. Actually I'm sure there is some confusion, just not sure who is confused.

Facts as I have it:

Subnet A is at 10.22.171.0, subnet B is at 10.40.232.0, both with a 255.255.255.0 mask. The two subnets are linked over a VPN created with Liknsys routers, and the link is establishing properly. Think that everyone is on the same page to that point.

Past that, I think there is some confusion. You mention a T1 to access a secure site on subnet B. You also stated that the computers on B were using the T1 for the default gateway. Now I find myself confused, does subnet B use the T1 to access the internet at large, or just the secure site? If not the internet at large, is there access to the internet there, and if so, how do you provide it? While we're on that subject, how is the VPN connecting on subnet B, over that same T1 or otherwise?

Making some guesses here, so you might need to trash all of the following, but here goes . . .

I am assuming that sub A is accessing the internet through the Linksys there. Default route on all machines there should point to the Linksys. I think you have that. I also think your routing is configured properly for you to access sub B from there, reinforced by the fact that you are able to ping one client on subnet B. Something on the A side is causing the problems with the other hosts.

Based upon what you have stated about the T1/secure server, particuarly that it is provided by a third party, I would assume that it does not have an IP in the range of your B subnet. If that is the case, you need to add another route on the A router pointing to the address of the secure site. Otherwise, packets pointed there will be sent to the internet instead of the B subnet to be forwarded on. The B router would need a route to the T1 as well, so it could route the incoming packets from subnet A to the proper IP on the network there.

Now for the problem of subnet B reaching A. Few things could be doing that. If you are running firewalling software, it could be configured to block ICMP from hosts that are not on the local network. Remeber that eventhough traffic from subnet A is trusted through the VPN, the indivdual machines have no way of knowing this, so you may have to adjust firewall software. Could be that they are blocking ICMP altogether, have you tried a ping from the machinse on the B subnet? Also worth noting that you sometimes get a firewall bundled with AV without asking or being told.

The other thing that strikes me, again you stated that the T1 was only for accessing the secure site, but then you also state that the default gw for the machines on subnet B is pointed to that T1. Doesn't sound right, but if you really need to maintain that default route you will need to add a route on each machine to subnet A pointing to the Linksys. Again, that somewhat depends upon how you are accessing the internet. If your default route is really the Linksys, that should not be an issue.

 

[rpaverd]

Firstly, my thanks for the comments and input - I am always amazed at how people are willing to assist!

In answer to the assumptions and questions:
Yes oth ends of the connection are Linksys VPN routers BEFVP41 at subnet A, BEFSX41 at subnet B.

Subnet B is connected to the Internet via the T1 router.

Subnet A is connected to the Internet via the VPN router; connection between the two subnets is via the Linksys VPN routers. Objective is to be able to access a secure website through the T1 router. difficult, if not impossible to have any routes added to the T1.

HOWEVER, from a testing perspective, I set up another VPN link from Subnet A to my home network 198.162.1.x via my Lnksys BEFSX41 VPN router connected via cable modem at home. Worked perfectly, using Networkview I could see all devices on subnet A and from subnet A I could see all the devices on my home network...... great!

I have the luxury of having both cable and DSL at home, so I set up another BEFSX41 VPN router connected via the DSL line in my 192.168.1.x subnet. I then successfully created a VPN connection with Subnet A. In this instance, from Subnet A, I can now ONLY see the primary router (192.168.1.1) and the actual VPN router (192.168.1.201) from Subnet A and I cannot see anything on Subnet A (10.22.171.x) from my home network....

Any routing suggestions here...?

Many thanks

Richard

 

[rpaverd]

Further information....

In the test environment I have added a route to Subnet A from my gateway router as 10.22.171.0 / 255.255.255.0 GW LAN 192.168.1.201

The routing table of my gateway router now shows as:
0.0.0.0 0.0.0.0 68.39.64.1 1 WAN
10.22.171.0 255.255.255.0 192.168.1.201 3 LAN
68.39.64.0 255.255.252.0 0.0.0.0 1 WAN
192.168.1.0 255.255.255.0 0.0.0.0 1 LAN

However, I still cannot see ANY devices on Subnet A from my home LAN.

This is exactly the same problem as I am experiencing from Subnet B, so if we can fix this, we can apply the solution to Subnet B. In my home network, moreover, I have full control of all the devices so if we need to make changes we can easily experiment.

As always, all suggestions welcomed.

Richard

 

[markku]

Again, the same problem as the original one: when VPN tunnel is established the packets destined to the remote network _must_ have a way back.

Normally this is done by setting the local VPN router as a default gateway as was the case with your home/cable setup. Having another VPN-router, as in your home/DSL case the default gateway was obviously still pointing to the router in cable resulting the return packets to be routed to wrong router. If you set a static route to your home/cable router pointing to home/DSL router the setup will start working.

 

[rpaverd]

I was of the opinion that the following:
10.22.171.0 255.255.255.0 192.168.1.201 3 LAN
on my gateway router was a suitable route to point back to the VPN router. Is this not correct?

It still is not working, by the way!

Thanks for the feedback...

Richard

 

[markku]

BEFVP51 is applying the rules in following order when it sees an IP-packet:

1. VPN rules from tunnel 1 to 70
2. Other possible rules

Obviously the tunnel on your home/cable is still active, disable it and your setup starts working.

This is the reason why under normal setup you do not neet to setup any additional routing rules for VPN.