Re: setting up static route via site to site vpn

justin1212 · ‎07-22-2021

Hello,

I set up the site-to-site VPN with the following(RV345 switches).

Communication between site A and site B doesn't have any issue at all.

Also, Communication between site B to site C is working great. rv345

Site A and Site C doesn't have any connection only via site B

site A:192.168.1.0/24 - site B:192.168.2.0/24 - site C: 10.1.1.1/24

How can I set up a static route on site A or another method for computers on site A to talk with computers on site C?

I set up static route via site to site VPN like this but it doesn't work.

10.1.1.0/24 192.168.2.254(next hp, site b router) wan2(internet & vpn interface)

Any idea?

justin1212 · ‎07-22-2021

one problem that I found is

There is no routing table for "site to site vpn" even though all the traffic is going through without any issue

Richard Burts · ‎07-24-2021

We might be able to provide better suggestions if we had more information to work with. But based on what we know so far I have these comments and suggestions:

- what is set up on site A for routing to 192.168.2.0? You probably want to set up similar routing for 10.1.1.0.

- it is not enough to just set up routing for 10.1.1.0 with next hop the same as 192.168.2.0. You also need to change the configuration of the site to site vpn so that it includes packets with soure 192.168.1.0 and destination 10.1.1.0.

- when you make changes for the site to site vpn on site A you need to make matching changes in the site to site vpn on site B.

HTH

Rick

Squozen_EU · ‎07-28-2021

On a policy-based VPN you won't see the route in the routing table unless the router has an option to do so. What you need to do is edit the allowed subnets at each end of the VPNs.

So for example:

Site A-Site B

A: 192.168.1.0/24

B: 192.168.2.0/24, 10.1.1.0/24

Site B-C

B: 192.168.1.0/24, 192.168.2.0/24

C: 10.1.1.0/24

This means that when site A is looking for site C's network, it checks the VPN policies and finds that B has the subnet listed. It then sends the traffic to B, which relays it to C. Ditto the reverse way from C to A. A static route cannot work, as the VPN endpoints must be told about the subnets. Otherwise the traffic will not be carried over the tunnel.

nagrajk1969 · ‎07-27-2021

Hello Justin

1. This is a classic Hub-and-Spoke VPN Topology as shown in attached schematic

2. For traffic routing from Site-A to Site-C (and vice-versa Bidirectionally), via Site-B Router thru the VPN tunnels established, you will need to configure the Ipsec-Policy on each of the RV345 routers mentioned below

- This will also enable traffic routing between Site-A subnet to Site-B subnets (bidirectionally) thru the VPN tunnel established

- And also traffic routing between Site-C subnet to Site-B subnets (bidirectionally) thru the VPN tunnel established

3. Required IPsec Policy Configs:

===============
On Site-B HubGw
===============

1. Site to Site tunnel to Site-A IPsec Policy

Local-Subnet: ANY
Remote-Subnet: 192.168.1.0/255.255.255.0

2. Site to Site tunnel to Site-C IPsec Policy

Local-Subnet: ANY
Remote-Subnet: 10.1.1.0/255.255.255.0

===================
On Site-A Spoke1-Gw
=====================

1. Site to Site tunnel to Site-B IPsec Policy

Local-Subnet: 192.168.1.0/255.255.255.0
Remote-Subnet: ANY

===================
On Site-C Spoke2-Gw
=====================

1. Site to Site tunnel to Site-B IPsec Policy

Local-Subnet: 10.1.1.0/255.255.255.0
Remote-Subnet: ANY

4. Lastly, kindly delete ALL static-routes, etc that you have applied earlier to solve your issue. The Static-routes are NOT REQUIRED AND NOT TO BE APPLIED FOR ROUTING OVER THE SITE-SITE VPN TUNNELS ON RV34X ROUTERS

Please Note:

- The S2S IPsec VPN tunnels on RV345 are "Policy-Based IPsec tunnels" and any forwarding/routing of traffic thru the IPsec VPN tunnels are always based on the configured Ipsec Policies and Static-Routes will not work.

- Whereas in "Route-Based IPsec tunnels" also called as Routing-Over-IPsec tunnels are based on VTI-tunnels protected by IPsec, and in this case there is a specific vti tunnel interface created for each tunnel to a remote peer, and when you want to route traffic thru it, you either add static-routes pointing to this vti-tunnel interface (which in turn will get protected by ipsec applied on that vti tunnel) OR configure Dynamic-Routing protocols such as RIP/OSPF/BGP on the vti tunnel interfaces on either end of the tunnel.

- best regards