How to access two secure-NAT sites from central SE-vpn server via remote users

[alex1]

Hello everyone,
In short i want to provide my remote users, access to two sites (Site1 & Site2) which are both behind NAT, firewall, etc. that are out of my control.

I have successfully provided remote access for my users to ONE site by secure NAT.
The configuration is as follows:

1) HQ runs the SE vpn server
2) Site1 runs BRIDGE with secure NAT & DHCP enabled (with a cascade connection to HQ)
2-1) Site1 is behind NAT, firewall, etc. which I do not control
- The users connect to HQ -> then receive their IP from the bridge at site 1 -> a static route is inserted via secure NAT for clients, thus allowing them to access the computers at Site1
- So far so good.

Code: Select all

HQ config (SE-VPN):
------------------
 HUB = MyVPNCenter
 SECURENAT :Disabled
 
 Site1 config (SE-BRDIGE):
 ------------------------
 SECURENAT :Enabled
 NAT virtual interface ip: 192.168.30.1/24
 DHCP range : 192.168.30.10/24 TO 200
 default Gateway : none
 static route table to push= 192.168.1.0/255.255.255.0/192.168.30.1

*** Now I want to connect Site2 to HQ and allow the remote users to access it as well

3) I have installed the SE-BRIDGE at site 2 with similar configurations
3-1) I have enabled the secure NAT at Site2 as well, connected to HQ via a cascade connection (Site2 is also behind NAT, firewall, etc. that are out of my control)
3-2) I have disabled the DHCP (to avoid collision with DHCP of Site1)
3-3) I have added the route of Site2 in NAT@Bridge-Site1

Code: Select all

Site2 config (SE-BRDIGE):
 -------------
 SECURENAT :Enabled
 NAT virtual interface ip: 192.168.30.2/24
 DHCP: Disabled
 default Gateway : none
 static route table to push= empty
 static route table to push (@Bridge of Site1 updated)= 192.168.1.0/255.255.255.0/192.168.30.1, 
   							                                192.168.2.0/255.255.255.0/192.168.30.2

The cascade connection is established from both sites to HQ, yet users can NOT connect to computers at site 2

Question 1) My understanding is that when we establish cascade connections, all networks are connected to each other at layer 2. Is this RIGHT????
Question 2) If so why cant my users reach Lan@site2

I have also tried changing the NAT virtual ip address of Site2 to 192.168.40.1 with no success!!!
I have also tried adding another hub at HQ (say HUB2) and connecting BRDIGE@site2 to it (via a cascade) and further using Layer3 switching with no success!!!

I believe this should be a common scenario and I am doing sth. wrong!!!!
Any help is highly appreciated
Best Regards

[solo]

Update site1's push with "192.168.1.0/255.255.255.0/192.168.30.1,192.168.2.0/255.255.255.0/192.168.30.2"

[alex1]

Hi and thanks for the reply.

1) But I have done this and it does not work (it was mentioned in the original post, but unfortunately it was badly formatted).
2) Remote users connected to the hub MyVPNCenter@HQ can ping 192.168.30.1
3) BUT they can NOT ping 192.168.30.2 (although the cascade connection is up/established at Bridge of Site2)

Clearly there is a problem!!!!????

[solo]

From a remote client please post as code the output of:

Code: Select all

netstat -r
ipconfig /all
ping 192.168.30.1
ping 192.168.30.2
arp -a

and from Site2:

Code: Select all

vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd StatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd NatGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd CascadeStatusGet [name]
// replace: port with number; *** with SE admin password; @@@ with hub name
// don't post actual command lines, we don't need to see your password 
// using '/server' also for SE Bridge

[alex1]

Hi again,

I tried ONCE more with the purpose of collecting the LOGs you requested.
But this time, everything worked as expected!!!
Thanks for your input. If the problem re-occurs I will report back the logs you asked for.

Regards

[solo]

I suggest the following packet flow optimization for future expansion.

Code: Select all

                                CENTRAL
                                +-----+                    
                +--------+------| HUB |-----+---------+---------+
                |        |      +-----+     |         |         |
                |        |                  |         |         |
                |        |                  |         |         |
                |        |                  |         |         |
                |        |                  |         |         |
                |        |                  |         |         |
             +-----+  +-----+            +-----+   +-----+   +-----+
             | C1  |  | C2  |            | S1  |   | S2  |   | S3  |
             +-----+  +-----+            +-----+   +-----+   +-----+

CENTRAL SE VPN SERVER
SecureNAT on, vNAT off: 192.168.30.9, vDHCP on
push 192.168.1.0/255.255.255.0/192.168.30.1, 192.168.2.0/255.255.255.0/192.168.30.2, 192.168.3.0/255.255.255.0/192.168.30.3

S1 bridge/cascade
SecureNAT on, vNAT on: 192.168.30.1, vDHCP off

S2 bridge/cascade
SecureNAT on, vNAT on: 192.168.30.2, vDHCP off

S3 bridge/cascade
SecureNAT on, vNAT on: 192.168.30.3, vDHCP off