routing problem after build up Site-to-Site VPN tunnel

andy.chan · ‎06-26-2002

We just installed the VPN concentrator 3005 in our main office and branch office for build up the Site-to-Site VPN tunnel.

For Main office, the Internal subnet is 192.168.1.x/24, all PC and server's default gateway are 192.168.1.254, which is the Internal IP address of the Firewall. The VPN concentrator is installed on the same subnet with the Internal IP address 192.168.1.1. We added the static route 192.168.2.0/24 -> 192.168.1.1 in the Firewall.

For branch office, the Internal subnet is 192.168.2.x/24, all PC and server's default gateway are 192.168.2.1, which is the Internal IP address of the VPN concentrartor installed in the branch office.

After the VPN tunnel established, we found that all PC and server's in Main office can connect with the device in branch office properly. However, all PC and server's in branch office cannot access any device on Main office. The problem can be solved if we add the static route 192.168.2.0/24->192.168.1.1 directly on those PC or servers in the main office.

Is there any solution for me to solve this problem so that we no need to add such static route on PC and server in main office directly?

Thx.

edadios · ‎06-26-2002

The issue here is that the pix does not do redirects. Since on one side, the default gateway for all the pc's and the server is a pix, the reply packet for the peers network, gets sent to the pix, and the pix, does not redirect it back to the concentrator private.

The solution of having static route on every pc, is the only way, unless you would have a router on the private network that would be the pc's and server's default gateway, and do the redirect for you.

If the pix had a 3rd interface, you can also have the concentrator on the third interface, then you would be able to use the routing on the pix to direct vpn traffic to the 3rd interface.