Branch to Branch VPN through HQ router?

Question

I've just upgraded our router and am working my way through setting it up as the old one was. The new router is a Draytek Vigor 3900.

We have a number of sites with IPSec tunnels dialling in to our main Draytek 3900. This article describes our setup almost exactly with the exception of the subnet addresses.

The main branch/HQ is 192.168.1.0/24 and the branches are 192.168.2-6.0/24. All branches can communicate with the main branch/HQ and the main branch/HQ can communicate with all branches.

For some reason the branches can ping each other but they can't visit the router GUI or any other service running on the branches' local subnet.

For the following examples I'm trying to communicate between branch 2 (192.168.2.0/24) and branch 3 (192.168.3.0/24). At all locations 'X.99' is the router/gateway.

Ping from Main Branch/HQ to Branch 2

PING 192.168.2.99 (192.168.2.99) from 192.168.1.99: 56 data bytes
64 bytes from 192.168.2.99: icmp_seq=0 ttl=255 time=42.9 ms
64 bytes from 192.168.2.99: icmp_seq=1 ttl=255 time=43.3 ms
64 bytes from 192.168.2.99: icmp_seq=2 ttl=255 time=57.2 ms
64 bytes from 192.168.2.99: icmp_seq=3 ttl=255 time=43.6 ms
64 bytes from 192.168.2.99: icmp_seq=4 ttl=255 time=42.6 ms

--- 192.168.2.99 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 42.6/45.9/57.2 ms
Send ICMP ECHO_REQUEST packets done.

Ping from Branch 2 to Branch 3

Pinging 192.168.3.99 with 64 bytes of Data through WAN8:
Receive reply from 192.168.3.99, time=90ms
Receive reply from 192.168.3.99, time=80ms
Receive reply from 192.168.3.99, time=90ms
Receive reply from 192.168.3.99, time=80ms
Receive reply from 192.168.3.99, time=80ms
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss)

Ping from Branch 3 to Branch 2

Pinging 192.168.2.99 with 64 bytes of Data through WAN8:
Receive reply from 192.168.2.99, time=80ms
Receive reply from 192.168.2.99, time=190ms
Receive reply from 192.168.2.99, time=80ms
Receive reply from 192.168.2.99, time=80ms
Receive reply from 192.168.2.99, time=80ms
Packets: Sent = 5, Received = 5, Lost = 0 (0% loss)

When running all of the above tests all firewalls were disabled. All VPN's are IPSec AES No Authentication. RIP Direction is set to disabled on Branch 2,3,4,5 & 6.

Is there something I'm missing that would be preventing anything other than ping tests from working between branches?

Answer 1

If you are unable to access any services at all besides the remote router, the router is not configured to forward traffic from the VPN link to the local subnet or from the local subnet over the VPN link or both. Check your routing tables on each router and ensure that they have a correct route (over the appropriate VPN link, not out to the default gateway) for each remote subnet. By default each router will have a /32 route for its peers (the other routers), but perhaps not a /24 route for their subnet. Also verify that you don't have any firewall rules in the way.