L3 S2S VPN

[syfer2003]

Firstly, I am using Windows server 2012 R2 on both sides. I have setup my primary VPN server at site 1 with ip range of 192.168.1.0/24. I setup the bridge at site 2 which has an IP range of 192.168.2.0/24.

VPN Server has Hub1 with local bridge to internal network. I can see all my local machines in my IP table here.
VPN Server has Hub2 with no local bridge. I can see all remote machines in IP table here. Hub2 has a username that the remote Bridge is connecting to.

VPN Server has L3 Switch that connects to Hub1 with IP address 192.168.1.254/24
VPN Server has L3 Switch that connects to Hub2 with IP address 192.168.2.254/24

Bridge server has RemoteHub2 with local bridge to internal network. I can see all my local machines in IP table.

VPN connection establishes properly. From the Bridge server, I can pint 192.168.2.254, but nothing else on the 192.168.1.x network. I also cannot ping the Bridge network at all from the VPN server network. It appears to be a routing problem, but when I add in manual routes in the layer 3 switch, it still doesn't help. It believe it also says that the Virtual Layer 3 switches automatically route between themselves, but it does not add this routing information into Windows route tables anywhere. I have port 443 forwarded on both sides.

I have been poking around with this for a while, and cannot really seem to get anywhere with it. I bet it is something simple, so I'd like to ask for a bit of help.

[kh_tsang]

Because your clients do not know the route to the other subnet.

In the DHCP of the Hub1, add a route 192.168.2.0/24 pointing at 192.168.1.254.
In the DHCP of the Hub2, add a route 192.168.1.0/24 pointing at 192.168.2.254.

[syfer2003]

Does it count if I added the route in manually using route add?

Last night, right before I went to bed, I did a "route add" on the machines and also added the route into the layer 3 switch. Now I can tracert, and it follows the gateway as if it knows where it is supposed to go, but it doesn't actually make it to the destination.

From my Bridge site, I can ping the L3 gateway across the VPN, but that is the only communication I can do over my VPN. It is odd, because they can see the MAC and IP table information across the VPN, but I cannot seem to do anything across the VPN.

I followed the article below fairly closely, other than the names of the sites and the actual IPs, my network is setup almost identical.

https://www.softether.org/4-docs/1-manu ... P_Routing)

[kh_tsang]

If you use route add command, you need to do it on both sides.

[syfer2003]

Yes, I did it on both sides. Both sides had route add, pointing to the Gateway in the VL3 switches that are on the Main server. The VL3 switch for the second site, is attached to the second sites Virtual Hub, which is also where the username is setup for authentication from the remote site. It connects up, and I can ping that VL3 switch, but I cannot seem to get my traffic over the VPN.

I set the route add on my primary site to push all 192.168.2.x traffic through the 192.168.1.254 gateway and set the route add on the remote site to push all 192.168.1.x traffic through the 192.168.2.254 gateway.

I know I am repeating a bit, but I want to make it easy on you, without you having to go back through the posts a bunch.

As stated previously, I can ping the 192.168.2.254 from the remote site, and I can see the IP tables across sites so I know that some traffic is going.

[kh_tsang]

Can you screenshot the settings?

[syfer2003]

Yeah. I was using alternate IPs here but I'll post the actual screenshots. Please let me know if they come through.

[attachment=2]ServerMainPage.jpg[/attachment]

[attachment=1]ServerLocalBridge.jpg[/attachment]

[attachment=0]ServerVL3.jpg[/attachment]

[syfer2003]

Attachment set 2

[attachment=0]BridgeVL3.jpg[/attachment]

[attachment=1]BridgeLocalBridge.jpg[/attachment]

[attachment=2]ServerRouteTable.jpg[/attachment]

[syfer2003]

Attachment set 3

[attachment=2]ServerTracert.jpg[/attachment]

[attachment=1]BridgeRouteTable.jpg[/attachment]

[attachment=0]BridgeTracert.jpg[/attachment]

[kh_tsang]

You should use one single virtual layer 3 switch only.

In the switch, you need one interface connecting to each hub, and no need to add anything to the routing table. In your second site, connect using casade connection.

[syfer2003]

Well, that did it. I didn't realize I was supposed to have both connections in the same VL3 switch. I can now communicate across the 2 machines that have the software installed, but I cannot communicate with any others. Lets say I have my primary as PS1. My Bridge machine is BS1. On the same lan as the Bridge machine, I have BS2, how do I communicate to BS2 from PS1?

[kh_tsang]

All hosts need to know the route to the layer 3 switch or configure this route at the default gateway(i.e. your router).

[kh_tsang]

If you configure it at the router, doing a traceroute will see the first hop should be your original router, the second hop sbould be the layer 3 switch and the third hop should be the destination.

[kh_tsang]

You may configure it in the DHCP server also to announce the route to the DHCP clients.

[syfer2003]

Perfect. This works. Your help is much appreciated! I am very happy to have this up and running.

[wnwanda]

I want to connect 2 sites so that i can ping and use any IP enabled device on one site from the other site. I followed the instructions for bridging 2 LAN segments with different IP range, points 10.5 Local bridging and cascade connection and 10.6 IP Routing (L3 Switch) of the manual. I'm using version 4.19 Build 9605.

Headquarter Network

The VPN Server is installed on a Windows Server 2012 R2 physical machine with 1 NIC used exclusively for bridging the Virtual Hub to the LAN and the other for normal traffic on the network 172.16.10.0/24. I have a router doing NAT and DHCP.

Branch Network

The VPN Bridge is installed on a Windows 10 physical machine with 1 NIC used exclusively for bridging the Virtual Hub to the LAN and the other for normal traffic on the network 192.168.26.0/24. I also have a router doing NAT and DHCP.

I created a second Virtual Hub on the VPN Server and connected to the first Virtual Hub via a L3 Switch. I then created a cascade connection from the Branch’s VPN Bridge to the second Virtual Hub on the VPN Server. In order for it to connect I created a port forwarding rule on the headquarter’s router. On the L3 Switch I created 2 Virtual Interfaces: 172.16.10.254 for the first Virtual Hub (bridged to network 172.16.10.0/24) and 192.168.26.254 for the second Virtual Hub (bridged to network 192.168.26.0/24 through a cascade connection).

Static route on headquarter’s router

Destination: 192.168.26.0
Mask: 255.255.255.0
Gateway: 172.16.10.254
Metric: Empty
Interface: LAN

Static route on branchs’s router

Destination: 172.16.10.0
Mask: 255.255.255.0
Gateway: 192.168.26.254
Metric: Empty
Interface: LAN

After following all the instructions on the manual, to the letter, and trying all the suggestions on this thread I can only ping, trace the route and open web pages of web servers, namely embedded web servers on network printers, access points and the router. If I trace the route to a server or desktop I get request time out after the second hop but if I trace to any device that it’s running a web server it finds it on the third hop. This happens in both directions. It's relevant to mention that i've disabled network firewalls and hosts firewalls on both networks just to see if it would make a difference but nothing changed.

I’m fighting with this for a week and a half now, any help that could point me in the right direction, would be much appreciated.