DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

VPN ip sec lan to lan Help

  • damian91
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 May 2020 16:52 #96162 by damian91
VPN ip sec lan to lan Help was created by damian91
Hello,

Just after some help on setting up a vpn IPSec between a 2830 and 2862.
the tunnel status is up but unable to ping the remote ip addresses.
Brief setup below:-

2830
Firmware 3.3.7.1_232201
Dial in
Router ip 10.0.0.1/24
Remote ip 192.168.10.0/24

2862
Firmware 3.9.1.1_BT
Dial out
Router ip 192.168.10.1/24
Remote ip 10.0.0.0/24

SSL vpn worked to 2830 and can see everything on 10 network when connected.

Just not sure if there is any issues with firmware between the two or any other settings in the lan to lan that may have missed etc.

Any help much appreciated

Please Log in or Create an account to join the conversation.

More
11 May 2020 23:18 #96170 by hornbyp
Replied by hornbyp on topic Re: VPN ip sec lan to lan Help

damian91 wrote:
Just not sure if there is any issues with firmware between the two ...



The latest firmware for the 2830 is "3.8.8.3". The version you are running is almost 8 years old
Version 3.8.8.2, (from two years ago) was categorised: Critical – Upgrade recommended immediately :!:

You may find the problem goes away, with a firmware upgrade...

If it doesn't:-

Can the routers 'ping' one another? (Using either the telnet interface and "IP PING 10.0.0.1" or the Web GUI "Diagnosis >> Ping Diagnosis".)
What about Router to another machine on the Remote LAN?
Next try using "Traceroute" from a system on one LAN to a system on the remote LAN. (Use 'Tracert -d' on Windows). How far does that get?
(You can't use the Router's own Traceroute function for this, as it always directs traffic to the WAN)

I would guess this is a Routing table issue somewhere.

I see you have used a 10.0.0.0/24 network - i.e. you're using a non-standard subnet mask. While this is valid - and has its uses - it also introduces complications, which might be causing your problem. (I've seen quite a few folk do this, and I've never quite understood why they've needed to)

Please Log in or Create an account to join the conversation.

  • damian91
  • Topic Author
  • Offline
  • New Member
  • New Member
More
12 May 2020 14:59 #96178 by damian91
Replied by damian91 on topic Re: VPN ip sec lan to lan Help

hornbyp wrote:

damian91 wrote:
Just not sure if there is any issues with firmware between the two ...



The latest firmware for the 2830 is "3.8.8.3". The version you are running is almost 8 years old
Version 3.8.8.2, (from two years ago) was categorised: Critical – Upgrade recommended immediately :!:

You may find the problem goes away, with a firmware upgrade...

If it doesn't:-

Can the routers 'ping' one another? (Using either the telnet interface and "IP PING 10.0.0.1" or the Web GUI "Diagnosis >> Ping Diagnosis".)
What about Router to another machine on the Remote LAN?
Next try using "Traceroute" from a system on one LAN to a system on the remote LAN. (Use 'Tracert -d' on Windows). How far does that get?
(You can't use the Router's own Traceroute function for this, as it always directs traffic to the WAN)

I would guess this is a Routing table issue somewhere.

I see you have used a 10.0.0.0/24 network - i.e. you're using a non-standard subnet mask. While this is valid - and has its uses - it also introduces complications, which might be causing your problem. (I've seen quite a few folk do this, and I've never quite understood why they've needed to)



Thanks for that updated the routers and got a-bit closer.

Sorry my bad I took note of the addresses wrong
Correct ones in use
10.0.0.1 should be 10.20.0.1
192.168.10.1 should be 192.168.121.1

So I can ping stuff using 192.168.121.1 router ping diagnostic to get to stuff on the remote end so like 10.20.0.4 and 11 get a response
I can ping from remote router 10.20.0.1 using ping diagnostic to a computer on 192.168.121.200.

But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1

There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?

Thanks

Please Log in or Create an account to join the conversation.

More
12 May 2020 16:25 #96179 by hornbyp
Replied by hornbyp on topic Re: VPN ip sec lan to lan Help

damian91 wrote:

But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1

There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?



That Route appears to be wrong, so the question is "what set it up?"

Is it visible in the GUI @ "LAN >> Static Route Setup" ?
Otherwise there's a Telnet command: "ip route del"

Do you recognise 10.20.0.200 as being anything special? - Has it been entered in error in the "TCP/IP Network Settings" section of the LAN-to-LAN profile?

There's a 'Code' in the Routing Table display, that shows where the Route entry came from.

This is the (abbreviated and re-ordered) o/p from my 2830n:-
(192.168.200.254 is the 2830n, 192.168.100.254 is remote 2860n)
Code:
> ip route status Codes: C - connected, S - static, R - RIP, * - default, ~ - private * 0.0.0.0/ 0.0.0.0 via 62.3.80.21, WAN2 C~ 192.168.200.0/ 255.255.255.0 is directly connected, LAN1 C~ 192.168.100.254/ 255.255.255.255 is directly connected, VPN-2 S~ 192.168.100.0/ 255.255.255.0 via 192.168.100.254, VPN-2 * 62.3.80.21/ 255.255.255.255 via 62.3.80.21, WAN2 S --.69.--.148/ 255.255.255.255 via --.69.--.148, WAN2 >

Please Log in or Create an account to join the conversation.

  • damian91
  • Topic Author
  • Offline
  • New Member
  • New Member
More
13 May 2020 07:47 #96185 by damian91
Replied by damian91 on topic Re: VPN ip sec lan to lan Help

hornbyp wrote:

damian91 wrote:

But from the computer on 192.168.121.200 can only ping to 10.20.0.1 ran tracert and it stops at 10.20.0.1.
Checked routing table on 10.20.0.1 and there seems to be a static route saying 192.168.121.0 255.255.255.0 via 10.20.0.200 interface vpn1

There is no gateway or anything setup for 10.20.0.200 so not sure if that has anything to with it and how can you remove it?



That Route appears to be wrong, so the question is "what set it up?"

Is it visible in the GUI @ "LAN >> Static Route Setup" ?
Otherwise there's a Telnet command: "ip route del"

Do you recognise 10.20.0.200 as being anything special? - Has it been entered in error in the "TCP/IP Network Settings" section of the LAN-to-LAN profile?

There's a 'Code' in the Routing Table display, that shows where the Route entry came from.

This is the (abbreviated and re-ordered) o/p from my 2830n:-
(192.168.200.254 is the 2830n, 192.168.100.254 is remote 2860n)
Code:
> ip route status Codes: C - connected, S - static, R - RIP, * - default, ~ - private * 0.0.0.0/ 0.0.0.0 via 62.3.80.21, WAN2 C~ 192.168.200.0/ 255.255.255.0 is directly connected, LAN1 C~ 192.168.100.254/ 255.255.255.255 is directly connected, VPN-2 S~ 192.168.100.0/ 255.255.255.0 via 192.168.100.254, VPN-2 * 62.3.80.21/ 255.255.255.255 via 62.3.80.21, WAN2 S --.69.--.148/ 255.255.255.255 via --.69.--.148, WAN2 >



Looks like that IP address is a virtual address set for the router as when your on the 10.20.0.0 subnet and browse to 10.20.0.200 it takes you to the router gui of 192.168.121.1?

Changed the ip sec to pptp just for testing.

I’m getting an updated drawing off the site to see what’s connected where as something doesn’t seem right.
As it looks like they have connected vpn router 10.20.0.1 to another router which is 10.20.0.11 wan to lan. Connected to lan on 10.20.0.1 to wan port on 10.20.0.11?? Which now I think should be bridged then so that the 10.20.0.11 can go out via 10.20.0.1 internet??

Thanks

Please Log in or Create an account to join the conversation.

More
08 Jun 2020 19:19 #96320 by mwrmwr
Replied by mwrmwr on topic Re: VPN ip sec lan to lan Help
deleted

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami