DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
VPN ip sec lan to lan Help
- damian91
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
11 May 2020 16:52 #96162
by damian91
VPN ip sec lan to lan Help was created by damian91
Hello,
Just after some help on setting up a vpn IPSec between a 2830 and 2862.
the tunnel status is up but unable to ping the remote ip addresses.
Brief setup below:-
2830
Firmware 3.3.7.1_232201
Dial in
Router ip 10.0.0.1/24
Remote ip 192.168.10.0/24
2862
Firmware 3.9.1.1_BT
Dial out
Router ip 192.168.10.1/24
Remote ip 10.0.0.0/24
SSL vpn worked to 2830 and can see everything on 10 network when connected.
Just not sure if there is any issues with firmware between the two or any other settings in the lan to lan that may have missed etc.
Any help much appreciated
Just after some help on setting up a vpn IPSec between a 2830 and 2862.
the tunnel status is up but unable to ping the remote ip addresses.
Brief setup below:-
2830
Firmware 3.3.7.1_232201
Dial in
Router ip 10.0.0.1/24
Remote ip 192.168.10.0/24
2862
Firmware 3.9.1.1_BT
Dial out
Router ip 192.168.10.1/24
Remote ip 10.0.0.0/24
SSL vpn worked to 2830 and can see everything on 10 network when connected.
Just not sure if there is any issues with firmware between the two or any other settings in the lan to lan that may have missed etc.
Any help much appreciated
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
11 May 2020 23:18 #96170
by hornbyp
The latest firmware for the 2830 is "3.8.8.3 ". The version you are running is almost 8 years old
Version 3.8.8.2, (from two years ago) was categorised:Critical – Upgrade recommended immediately
You may find the problem goes away, with a firmware upgrade...
If it doesn't:-
Can the routers 'ping' one another? (Using either the telnet interface and "IP PING 10.0.0.1" or the Web GUI "Diagnosis >> Ping Diagnosis".)
What about Router to another machine on the Remote LAN?
Next try using "Traceroute" from a system on one LAN to a system on the remote LAN. (Use 'Tracert -d' on Windows). How far does that get?
(You can't use the Router's own Traceroute function for this, as it always directs traffic to the WAN)
I would guess this is a Routing table issue somewhere .
I see you have used a 10.0.0.0/24 network - i.e. you're using a non-standard subnet mask. While this is valid - and has its uses - it also introduces complications, which might be causing your problem. (I've seen quite a few folk do this, and I've never quite understood why they've needed to)
Replied by hornbyp on topic Re: VPN ip sec lan to lan Help
damian91 wrote:
Just not sure if there is any issues with firmware between the two ...
The latest firmware for the 2830 is "3.8.8.3
Version 3.8.8.2, (from two years ago) was categorised:
You may find the problem goes away, with a firmware upgrade...
If it doesn't:-
Can the routers 'ping' one another? (Using either the telnet interface and "IP PING 10.0.0.1" or the Web GUI "Diagnosis >> Ping Diagnosis".)
What about Router to another machine on the Remote LAN?
Next try using "Traceroute" from a system on one LAN to a system on the remote LAN. (Use 'Tracert -d' on Windows). How far does that get?
(You can't use the Router's own Traceroute function for this, as it always directs traffic to the WAN)
I would guess this is a Routing table issue somewhere
I see you have used a 10.0.0.0/24
Please Log in or Create an account to join the conversation.
- damian91
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
12 May 2020 14:59 #96178
by damian91
Thanks for that updated the routers and got a-bit closer.
Sorry my bad I took note of the addresses wrong
Correct ones in use
10.0.0.1 should be 10.20.0.1
192.168.10.1 should be 192.168.121.1
So I can ping stuff using 192.168.121.1 router ping diagnostic to get to stuff on the remote end so like 10.20.0.4 and 11 get a response
I can ping from remote router 10.20.0.1 using ping diagnostic to a computer on 192.168.121.200.
But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1
There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?
Thanks
Replied by damian91 on topic Re: VPN ip sec lan to lan Help
hornbyp wrote:
damian91 wrote:
Just not sure if there is any issues with firmware between the two ...
The latest firmware for the 2830 is "3.8.8.3". The version you are running is almost 8 years old
Version 3.8.8.2, (from two years ago) was categorised:Critical – Upgrade recommended immediately
You may find the problem goes away, with a firmware upgrade...
If it doesn't:-
Can the routers 'ping' one another? (Using either the telnet interface and "IP PING 10.0.0.1" or the Web GUI "Diagnosis >> Ping Diagnosis".)
What about Router to another machine on the Remote LAN?
Next try using "Traceroute" from a system on one LAN to a system on the remote LAN. (Use 'Tracert -d' on Windows). How far does that get?
(You can't use the Router's own Traceroute function for this, as it always directs traffic to the WAN)
I would guess this is a Routing table issue somewhere.
I see you have used a 10.0.0.0/24network - i.e. you're using a non-standard subnet mask. While this is valid - and has its uses - it also introduces complications, which might be causing your problem. (I've seen quite a few folk do this, and I've never quite understood why they've needed to)
Thanks for that updated the routers and got a-bit closer.
Sorry my bad I took note of the addresses wrong
Correct ones in use
10.0.0.1 should be 10.20.0.1
192.168.10.1 should be 192.168.121.1
So I can ping stuff using 192.168.121.1 router ping diagnostic to get to stuff on the remote end so like 10.20.0.4 and 11 get a response
I can ping from remote router 10.20.0.1 using ping diagnostic to a computer on 192.168.121.200.
But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1
There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?
Thanks
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
12 May 2020 16:25 #96179
by hornbyp
That Route appears to be wrong, so the question is "what set it up?"
Is it visible in the GUI @ "LAN >> Static Route Setup" ?
Otherwise there's a Telnet command: "ip route del"
Do you recognise 10.20.0.200 as being anything special? - Has it been entered in error in the "TCP/IP Network Settings" section of the LAN-to-LAN profile?
There's a 'Code' in the Routing Table display, that shows where the Route entry came from.
This is the (abbreviated and re-ordered) o/p from my 2830n:-
(192.168.200.254 is the 2830n, 192.168.100.254 is remote 2860n)
Replied by hornbyp on topic Re: VPN ip sec lan to lan Help
damian91 wrote:
But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1
There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?
That Route appears to be wrong, so the question is "what set it up?"
Is it visible in the GUI @ "LAN >> Static Route Setup" ?
Otherwise there's a Telnet command: "ip route del"
Do you recognise 10.20.0.200 as being anything special? - Has it been entered in error in the "TCP/IP Network Settings" section of the LAN-to-LAN profile?
There's a 'Code' in the Routing Table display, that shows where the Route entry came from.
This is the (abbreviated and re-ordered) o/p from my 2830n:-
(192.168.200.254 is the 2830n, 192.168.100.254 is remote 2860n)
Code:
> ip route status
Codes: C - connected, S - static, R - RIP, * - default, ~ - private
* 0.0.0.0/ 0.0.0.0 via 62.3.80.21, WAN2
C~ 192.168.200.0/ 255.255.255.0 is directly connected, LAN1
C~ 192.168.100.254/ 255.255.255.255 is directly connected, VPN-2
S~ 192.168.100.0/ 255.255.255.0 via 192.168.100.254, VPN-2
* 62.3.80.21/ 255.255.255.255 via 62.3.80.21, WAN2
S --.69.--.148/ 255.255.255.255 via --.69.--.148, WAN2
>
Please Log in or Create an account to join the conversation.
- damian91
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
13 May 2020 07:47 #96185
by damian91
Looks like that IP address is a virtual address set for the router as when your on the 10.20.0.0 subnet and browse to 10.20.0.200 it takes you to the router gui of 192.168.121.1?
Changed the ip sec to pptp just for testing.
I’m getting an updated drawing off the site to see what’s connected where as something doesn’t seem right.
As it looks like they have connected vpn router 10.20.0.1 to another router which is 10.20.0.11 wan to lan. Connected to lan on 10.20.0.1 to wan port on 10.20.0.11?? Which now I think should be bridged then so that the 10.20.0.11 can go out via 10.20.0.1 internet??
Thanks
Replied by damian91 on topic Re: VPN ip sec lan to lan Help
hornbyp wrote:
damian91 wrote:
But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1
There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?
That Route appears to be wrong, so the question is "what set it up?"
Is it visible in the GUI @ "LAN >> Static Route Setup" ?
Otherwise there's a Telnet command: "ip route del"
Do you recognise 10.20.0.200 as being anything special? - Has it been entered in error in the "TCP/IP Network Settings" section of the LAN-to-LAN profile?
There's a 'Code' in the Routing Table display, that shows where the Route entry came from.
This is the (abbreviated and re-ordered) o/p from my 2830n:-
(192.168.200.254 is the 2830n, 192.168.100.254 is remote 2860n)
Code:> ip route status Codes: C - connected, S - static, R - RIP, * - default, ~ - private * 0.0.0.0/ 0.0.0.0 via 62.3.80.21, WAN2 C~ 192.168.200.0/ 255.255.255.0 is directly connected, LAN1 C~ 192.168.100.254/ 255.255.255.255 is directly connected, VPN-2 S~ 192.168.100.0/ 255.255.255.0 via 192.168.100.254, VPN-2 * 62.3.80.21/ 255.255.255.255 via 62.3.80.21, WAN2 S --.69.--.148/ 255.255.255.255 via --.69.--.148, WAN2 >
Looks like that IP address is a virtual address set for the router as when your on the 10.20.0.0 subnet and browse to 10.20.0.200 it takes you to the router gui of 192.168.121.1?
Changed the ip sec to pptp just for testing.
I’m getting an updated drawing off the site to see what’s connected where as something doesn’t seem right.
As it looks like they have connected vpn router 10.20.0.1 to another router which is 10.20.0.11 wan to lan. Connected to lan on 10.20.0.1 to wan port on 10.20.0.11?? Which now I think should be bridged then so that the 10.20.0.11 can go out via 10.20.0.1 internet??
Thanks
Please Log in or Create an account to join the conversation.
- mwrmwr
- Offline
- New Member
Less
More
- Posts: 9
- Thank you received: 0
Moderators: Chris, Sami
Copyright © 2024 DrayTek