Routing Site-to-Site VPN traffic through the VPN
Posted: Mon Dec 05, 2011 2:53 pm
Good morning,
I'm having trouble getting traffic routed properly and was hoping someone could steer me in the right direction. I tried posting in the Untangle forums as well but have had no responses so far. Any help is greatly appreciated. Here is my setup:
Main office
Network 172.16.0.0/16
Two Cisco switches with 7 VLANs have all nodes on the network connected to them
Untangle server running version 9.1.0 is connected to one of the switches. External NIC IP is 172.16.5.10 and internal IP is 172.16.5.11. Exported network is 172.16.0.0/16. Default address pool is 10.10.10.0/24.
Each switch has ip route 10.10.10.0 255.255.255.0 172.16.5.11.
Remote office
First Untangle server running version 9.0.2. External NIC connected to the internet and internal has IP of 192.168.2.1. It is running OpenVPN in client mode and connected to the main office's Untangle server.
Second Untangle server running version 9.0.2. External NIC connected to the internal nic of the first UT server with IP 192.168.2.2 and internal NIC connected to Netgear switch with IP 192.168.0.1. I did not add a static route to this UT server as the server with the VPN client is it's default gateway and all traffic with an unknown destination should be routed to it.
Traceroutes from nodes on the remote network show the first hop is the second UT server at 192.168.0.1 and the second hop is the first UT server at 192.168.2.1 but other hops timeout. This is the same when using the tracert utility on the second UT server. However, the traceroute from the first UT server is successful as well as pings. Also, if I connect via the OpenVPN client on my PC, I can reach all resources on the 172.16.0.0/16 network. So, it seems that the first UT server does not know to route traffic destined for 172.16.0.0/16 through the tun adapter when it comes from the 192.168.0.0/24 network and I don't understand why. I've tried adding static routes to the second UT server to no avail. Can anyone help?
Here are some traceroutes:
From a desktop on the 192.168.0.0/24 network.
Tracing route to [172.16.50.37]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 <1 ms <1 ms <1 ms 192.168.2.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
From the second UT server
Fri Dec 02 2011 11:55:06 GMT-0500 (Eastern Standard Time)
traceroute to 172.16.50.37 (172.16.50.37), 30 hops max, 40 byte packets
1 192.168.2.1 (192.168.2.1) 0.124 ms 0.099 ms 0.096 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Fri Dec 2 08:55:30 PST 2011 - Test Complete!
From the first UT server
Fri Dec 02 2011 11:55:37 GMT-0500 (Eastern Standard Time)
traceroute to 172.16.50.37 (172.16.50.37), 30 hops max, 40 byte packets
1 10.10.10.1 (10.10.10.1) 89.243 ms 91.729 ms 91.735 ms
2 172.16.5.2 (172.16.5.2) 119.243 ms 116.629 ms 116.580 ms
3 172.16.5.2 (172.16.5.2) 116.637 ms 119.204 ms 116.591 ms
4 172.16.50.37 (172.16.50.37) 119.228 ms 119.211 ms 121.660 ms
Fri Dec 2 08:55:31 PST 2011 - Test Complete!
Thanks,
Matt
I'm having trouble getting traffic routed properly and was hoping someone could steer me in the right direction. I tried posting in the Untangle forums as well but have had no responses so far. Any help is greatly appreciated. Here is my setup:
Main office
Network 172.16.0.0/16
Two Cisco switches with 7 VLANs have all nodes on the network connected to them
Untangle server running version 9.1.0 is connected to one of the switches. External NIC IP is 172.16.5.10 and internal IP is 172.16.5.11. Exported network is 172.16.0.0/16. Default address pool is 10.10.10.0/24.
Each switch has ip route 10.10.10.0 255.255.255.0 172.16.5.11.
Remote office
First Untangle server running version 9.0.2. External NIC connected to the internet and internal has IP of 192.168.2.1. It is running OpenVPN in client mode and connected to the main office's Untangle server.
Second Untangle server running version 9.0.2. External NIC connected to the internal nic of the first UT server with IP 192.168.2.2 and internal NIC connected to Netgear switch with IP 192.168.0.1. I did not add a static route to this UT server as the server with the VPN client is it's default gateway and all traffic with an unknown destination should be routed to it.
Traceroutes from nodes on the remote network show the first hop is the second UT server at 192.168.0.1 and the second hop is the first UT server at 192.168.2.1 but other hops timeout. This is the same when using the tracert utility on the second UT server. However, the traceroute from the first UT server is successful as well as pings. Also, if I connect via the OpenVPN client on my PC, I can reach all resources on the 172.16.0.0/16 network. So, it seems that the first UT server does not know to route traffic destined for 172.16.0.0/16 through the tun adapter when it comes from the 192.168.0.0/24 network and I don't understand why. I've tried adding static routes to the second UT server to no avail. Can anyone help?
Here are some traceroutes:
From a desktop on the 192.168.0.0/24 network.
Tracing route to [172.16.50.37]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 <1 ms <1 ms <1 ms 192.168.2.1
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.
Trace complete.
From the second UT server
Fri Dec 02 2011 11:55:06 GMT-0500 (Eastern Standard Time)
traceroute to 172.16.50.37 (172.16.50.37), 30 hops max, 40 byte packets
1 192.168.2.1 (192.168.2.1) 0.124 ms 0.099 ms 0.096 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Fri Dec 2 08:55:30 PST 2011 - Test Complete!
From the first UT server
Fri Dec 02 2011 11:55:37 GMT-0500 (Eastern Standard Time)
traceroute to 172.16.50.37 (172.16.50.37), 30 hops max, 40 byte packets
1 10.10.10.1 (10.10.10.1) 89.243 ms 91.729 ms 91.735 ms
2 172.16.5.2 (172.16.5.2) 119.243 ms 116.629 ms 116.580 ms
3 172.16.5.2 (172.16.5.2) 116.637 ms 119.204 ms 116.591 ms
4 172.16.50.37 (172.16.50.37) 119.228 ms 119.211 ms 121.660 ms
Fri Dec 2 08:55:31 PST 2011 - Test Complete!
Thanks,
Matt