2 IPsec VPNs between 2 Sites

Hello

I have the following scenario:

2 sites A and B
each side has 2 adsl lines with static ips
4 draytek vigor 2700g routers (2 on each side)

I want to utilize 2 different site-to-site IPsec VPN tunnels.

Site A:
---------

Vigor #1 config:
-------------------
ip address 192.168.1.1/24
lan subnet 192.168.1.0/24

Vigor #2 config:
-------------------
ip address 192.168.2.1/24
lan subnet 192.168.2.0/24
--------------------------------------------------------------------------

Site B:
--------
Vigor #3 config:
---------------------
ip address 192.168.3.1/24
lan subnet 192.168.3.0/24


Vigor #4 config:
--------------------
ip address 192.168.4.1/24
lan subnet 192.168.4.0/24

-----------------------------------------------------------------------------------------
I have successfully established VPNs between Vigor1 <-> Vigor3
and Vigor2 <-> Vigor4

I can ping from router each site sucessfully.

-------------------------------------------------------------------------------------------


On site A there's a win2k3 server with Terminal Services enabled.
I have configured its network card with the following ip addresses:

192.168.1.5/24
192.168.2.5/24
default gateway: none

2 static route mappings:
route add 192.168.3.0/24 gateway 192.168.1.1
route add 192.168.4.0/24 gateway 192.168.2.1

---------------------------------------------------------------------------------------------

On Site B there is another Win2k3 Server with the following config on its network card:
IP addresses:

192.168.3.5/24
192.168.4.5/24
default gateway: none

2 static route mappings:

route add 192.168.1.0/24 gateway 192.168.3.1
route add 192.168.2.0/24 gateway 192.168.4.1

---------------------------------------------------------------------------------------------------

When i try to ping from the server on Site A server on site B at ip address 192.168.3.5 i can get reply.
When i try to ping from the server on Site A server on site B at ip address 192.168.4.5 i can also get reply.


The problem is that after some seconds server on Site A stops get ping reply from Server on Site B at ip adddres 192.168.4.5.
The same happens with server on Site B when tries to ping server on Site A at ip address 192.168.2.5.

--------------------------------------------------------------------------------------------------------------------

First of all is it possible to to have 2 different VPNs between 2 sites with 2 servers with 1 nic on each server configured with 2 different subnets? Is there a routing issue? Do i need 2 nics on each server to achieve this?

Thanks for any answers and sorry for any misunderstanding...

 

Basic IP systems expect there to be only one active route to any one destination at one instant.

Router routing protocols can allow routers to dynamically find a better route, but when they do so they effectively shut-down the previous one and move over to the new one - they don't use both. This system prevents loops forming - a very real danger on a network (as opposed to point-to-point or hub-and-spoke systems).

However, in IP space you should be able to send packets to different subnets via different routes. So I think in theory you should be able to do what you are trying.

Therefore, I think there may be one of two things going on:

• One of your tunnels isn't working properly. Have you tried using the second connection (the problematic one) to connect to other locations on the remote network? It could just be that one tunnel isn't stable.
• Windows is detecting the two IP addresses are pointing at the same remote system and is throwing its dummy out of the pram, by shutting one of them down (probably the one lowest on the server's routing list).

I think you are going to keep on hitting this sort of problem unless you install a system that is specifically designed to allow you to do this sort of thing.

I take you are trying to increase your upload bandwidth so as to squeeze more out of your ADSL links. (It's ADSL upload speed that limits inter-site VPN performance). If so you need to look for some dedicated kit to aggregate your connections. Have you looked at SharedBand? That might do what you want without all the head-ache.

 

hello and thanks for your answer!

The answer to your first question is "yes ".I'm trying to load balance bandwidth on the server by using 1 tunnel for just remote desktop connection (10 clients) and the 2nd one for some "file synching ".

I have checked the 2nd tunnel (the problematic one) and it works correctly.
I think the problem is the 2nd reason, that the system drops the packet as it is going to the same destination (different ip address) with same mac address probably who knows.

For now i have found a solution by running RRAS server on site A as VPN server and a pptp vpn client from Site B. With this solution i don't have any problem exept that the tunnel goes down time by time and i have to manually redial.

I'm thinking of using openVPN to achieve site-to-site vpn.Do you think it will work?

 

Draytek hardware VPN is a good solution. I think if you are on a tight budget, it has a lot of merit. So I'm not sure that going to a totally software VPN is going to give you anything - unless OpenVPN has a specific feature set to enable connections to be grouped.

If it was me I'd do this:

Move both networks to the 10.0.0.0 space as you'll have more IP space to play in.

I'd put the first network (where the main server in) on a 10.1.0.0/255.255.0.0, with one of the Draytek routers as the default gateway.

I'd put the servers in the second network in 10.2.1.0 and all PCs in the second network in 10.2.2.0. Set each computer's mask on this network as 255.255.0.0. That will allow all the PCs and servers on this network to talk to each other.

I'd set the default gateway for the servers (10.2.1.0) as the first draytek router (shall we call it 'S2R1' - Site 2, Router 1), and the default gateway for the PCs as router S2R2.

Then set up the routers.
S1R1 (site one default gateway).
Internal address 10.1.0.1/255.255.0.0
VPN to 10.2.1.0/255.255.255.0 via external address of S2R1
Static route to 10.2.2.0/255.255.255.0 via gateway 10.1.0.2 (S1R2)

S1R2
Internal address 10.1.0.2/255.255.0.0
VPN to 10.2.2.0/255.255.0.0 via external address of S2R2
Static route to 10.2.1.0/255.255.255.0 via gateway 10.1.0.1 (S1R1)

S2R1
Internal address 10.2.1.1/255.255.255.0 (Class C subnet mask)
VPN to 10.1.0.0/255.255.0.0 via external address of S1R1

S2R2
Internal address 10.2.2.1/255.255.255.0 (Class C subnet mask)
VPN to 10.1.0.0/255.255.0.0 via external address of S1R2

I believe this set up will result in the following:

• All site two PCs will use S2R2 as their internet gateway and VPN connection to site one
• All site two servers will use S2R1 as their internet gateway and VPN connection to site one
• All site one systems will use S1R1 as their internet gateway and VPN connection to the servers at site 2
• All site one systems will use S1R2 as their gateway (via VPN) to site 2 PCs.

 

thank you very much for your answer!


I'll give it a try...