Please help. site to site VPN L3 not working

[claudelu]

Hi! can you please help me as well? I find myself in the same situation.
I have 2 Sites with 2 different Subnets: 192.168.2.x and 192.101.103.x. I am trying to build a L3 site-to-site VPN Connection.
Steps I've done so far:
0. At the HQ Firewall, I have Forwarded the Port 443 to the SE VPN Server (192.168.2.16)

1. I have installed SE VPN Server on a Win Srv 2012 R2 (192.168.2.16) and created 2 Virtual Hubs :
1.1. "VPN Kirch" with following :
a. I have created a "admin" user which is part of the "Administrator" Group with no Security Policies;
b. From "Local Bridge", I have created and connected this Hub to the phisycal Network Card (192.168.2.16);
c. I have started this Hub and I can see the Ip and Mac Tables of this LAN (192.168.2.x).

1.2 "Lange" with the following:
a. I have created a "admin" user which is part of the "Administrator" Group with no Security Policies;
b. I have started this Hub

2. I have installed SE VPN Bridge on a Win Srv 2008 R2 (192.101.103.240) and Created 1 Virtual Hub:
2.1. BRIDGE with following:
a. From "Local Bridge", I have created and connected this Hub to the phisycal Network Card (192.101.103.240);
b. I have started this Hub and I can see the Ip and Mac Tables of this LAN (192.101.103.x);
c. I have created a Cascade Connection (with 8 TCP Connections, Half-Duplex and SSL Encryption), which connects to the "Lange" Hub from the VPN Server;

3. On the VPN Server, I have created a vSwitch with the Settings from the Screenshot.
I can see the IP and MAC Tables as following:
a. On the VPN Bridge Hub all the 192.101.103.x
b On the VPN Server "Lang" Hub all the 192.101.103.x
c. On the VPN Server "VPN Kirch" all the 192.168.2.x

I can succesfully ping from all IPs of the Subnet 192.101.103.x the Virtual Interface (192.101.103.50)
I can succesfully ping from all IPs of the Subnet 192.168.2.x the Virtual Interface (192.168.2.40)

Here I am stuck! I cannot Ping between the LANs or access Resources or PCs.

Can someone please guide me too?

[claudelu]

Hi guys!
I went a step further: on the VPN Server, on Local Bridge, I have assigned the Network Adapter (I have only ONE active) of the VPN Server to both Virtual Hubs (VPN Kirch and Lange).

Now I can see the full IP and MAC Tables of both Subnets on all virtual Hubs (Bridge and Server), but still I cannot Ping the PCs from one Subnet to another or to connect to network Resources.

Can someone help me?

[mlsjwr]

Just an idea

Are You the administrator of the 192.101.103.x network?
What if You are not permitted to add hosts on that network?

[raafat]

claudelu wrote:
> Hi guys!
> I went a step further: on the VPN Server, on Local Bridge, I have assigned
> the Network Adapter (I have only ONE active) of the VPN Server to both
> Virtual Hubs (VPN Kirch and Lange).
>
> Now I can see the full IP and MAC Tables of both Subnets on all virtual
> Hubs (Bridge and Server), but still I cannot Ping the PCs from one Subnet
> to another or to connect to network Resources.
>
> Can someone help me?

Did you set up "routing instructions" on both sides' routers ?. It seems like you didn't do it (:.


Good luck (:.

[raafat]

Murtuza wrote:
> Guys ,
>
> Please i am stuck at a point where i cannot go further. i have one side vpn
> server and another side vpn bridge. The VPN connects. now the next step for
> me is to reach LAN on both sides. For that i created virtual interfaces and
> followed all the steps mentioned in the documentation. But for some reason
> i can ping local virtual interface but not destination virtual interface.
> Please can someone guide me where i am making mistake.

Did you set up "routing instructions" on both sides' routers ?.

[claudelu]

Hi guys!

First of all I want to thank you for making time for my problem.
Next I will try to offer accurate informations.

@mlsjwr:
I am the Administrator of both Networks but NOT the Administrator of the Main Routers of the network(the Gateways).
The role of Gateway administration is externalised and every modification which I want to make to the Gateway
takes time and is expensive.

@raafat:
No, I did not set "routing instructions" on the Routers (Gateways). I only added these routings on the L3 vSwitch.
One of the reasons which I choosed the SE Software is that it states in documentation that, it is possible to connect different Networks that find themselfes behind Firewall by PortForwarding Ports in the Routers (Gateways)
Or did I misread something?

[raafat]

That is right, one of the advantage of SE technology that you can use it behind NAT technology. However, "Routing Instructions" is a concept that is not related to that matter. If you want your packet to traverse another network and you want to get it back, then you have to use "Routing Instructions", if you can't handle that, then you have two options(these two items are suggested with a few assumptions) :

1- L2 VPN topology
2- SecureNat technology

but remember both of the aftermentioned have drawbacks. It's up to you (:.

[claudelu]

Hi raafat!

Thank you for explaining what L3 Topology involves. This is how I received these Networks and I can't change this.
However, I am willing to asume the drawbacks of the other 2 Options than.

Although, as far as I have understood from the documentation, for a L2 VPN topology, I should have the same IP classes on both Networks. If this is so, than this option is also not possible in my Networks topology.

So, the only option remaining is SecureNAT.

Am I right?

[raafat]

I've stated above that you have to use the same IP network on both sites if you're going to use a L2 VPN topology. Before I answer your question, let me ask you a question : What kind of communication do you desire ?. Many-to-many, one-to-many, one-to-one topology ?

[claudelu]

Hi raafat,

At first I wanted a many-to-many topology.
Now, after understanding what that involvs and giving my limitations I would like one-to-many. I hope Stated correct what I want: the HQ to communicate with the second site and with the Extern Clients.

[raafat]

So you want HQ(one machine) to communicate with all hosts of a remote site, right ?. Kindly, I suggest to create a new topic so that we don't get confused between the author's post of this topic and yours.


Good luck (:.