VPN To 3 Sites

ghostman · February 17, 2015, 10:57pm

We have 3 sites

A The HQ Site 1
B The site 2
C the site 3

we have VPN connection from
A to B
A To c

because i have one real ip in location A HQ and the another is dynamic ip

and the routs work fine from
A to B
A to C

and when i try to route from B to C throe A i cant see any thing so what can i do

magchiel · February 18, 2015, 8:01am

you need to give us some more information on what you’re using for VPN. Is it just regular IPsec site-to-site?

Have you configured routing correctly on all ends? Not masqing IPs? If you’re doing IPsec in tunnel mode it won’t work. AFAIK if you want routing in your VPN setup you have to setup IPIP tunnels which then you can use for your routing and setup IPsec in transport mode. I have this running succesfully connecting four different sites. Another option is to go the MPLS way but I reckon that’s more complex than what you would need.

For a nice overview howto setup IPIP with IPsec see http://gregsowell.com/?p=1290.

ghostman · February 18, 2015, 11:13am

This is Site A HQ

/ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; Server-Lan
192.168.211.4/32 192.168.211.4 Lan
1 ;;;Server- Wan-Real
2.2.2.2/24 2.2.2.0 Wan
2 D 192.168.211.3/32 10.10.10.216 Site_C
3 D 192.168.211.3/32 10.10.10.100 Site_B

/ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - os
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWA

0 A S 0.0.0.0/0 2.2.2.1
1 ADC 10.10.10.100/32 192.168.211.3 Site_B
2 ADC 10.10.10.216/32 192.168.211.3 Site_C
3 ADC 2.2.2.0/24 2.2.2.2 Wan
4 A S ;;; Site_A
192.168.100.0/24 Site_B
5 ADC 192.168.211.4/32 192.168.211.4 Lan
6 A S ;;; Site_B
192.168.216.0/24 Site_C

/ppp active> print
Flags: R - radius

NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING

0 SiteB pptp x.x.x.x 10.10.10.100 1h11m33s MPPE128 stateless
1 SiteC pptp x.x.x.x 10.10.10.216 1h30m6s MPPE128 stateless

magchiel · February 18, 2015, 9:25pm

I don’t personally do PPTP (and wouldn’t recommend it as a secure way to connect sites) so perhaps someone else should chime in here as well.

As you indicate your there is communication between A and B as well as A and C. I don’t know what hardware or configuration you have in place at sites B and C but I can imagine that you haven’t defined routes at B that C is reachable though A. You need to do the same for site B at site C. A trace route should confirm hopping through the gateways.

ghostman · February 19, 2015, 9:00am

So when i try to trace from B to C I found the down in A Like

tracert B from C with

B Config
Local IP 192.168.100.4\24
WAN IP 192.168.1.100\24

route

0 A S 0.0.0.0/0 192.168.1.1
`1 A S ;;; Site_A
192.168.211.0/24 Site_A >>>>>> PPTP Connection To HQ (192.168.211.0/24 Site_A HQ LAN Range )
2 A S ;;; Site_C
192.168.216.0/24 Site_A >>>>>> PPTP Connection To HQ (192.168.216.0/24 Site_C LAN Range )

tracert

tracrert 192.168.216.4
0 192.168.211.3
1 0 0 0.0 Time Out
1 0 0 0.0 Time Out
1 0 0 0.0 Time Out

What i mean is when i trace from C to B or from B To C I reach A then be down
So any idea can i do in Site A to can see B---->A------->C and C----->A------>B
Thanks .

magchiel · February 20, 2015, 9:07am

well it can certainly find a route through site A then, it just can’t progress afterwards. No firewall rules blocking?
as to the 192.168.1.100/24 for your WAN address: I was under the impression this was 10.10.10.100/xx?

Can you give use a /ppp export verbose hide-sensitive?

xavierbt · February 20, 2015, 5:34pm

I have implemented an VPN from one HQ to 3 delegations. All dynamic ip. Very simple.
Follow this instructions: http://www.mikrotiktutorial.com/download/mum_in_thai_2014_site2site_vpn.pdf

xavierbt · February 21, 2015, 3:42pm

I forget to say the you can use the built-in cloud DNS.

ghostman · February 25, 2015, 11:27am

First Let Me Thank You MR @xavierbt
But what i do is pptp connction from site A as ppptp server and pptp connction from site C and B as pptp client connected to site A by real ip
Lock at PIC

Soooooooooooo What Can I Doooooooooooo ?

satman1w · February 25, 2015, 12:46pm

There is a complete cook book for your situation at:
http://wiki.mikrotik.com/wiki/PPTP_VPN_-_multiple_ADSL_remote_locations_to_Cental_Office

Notice the end of text and description of communication between remote locations.

regards

mstadnicki · April 2, 2017, 12:00pm

Hi,

I have the same problem.
Below is my network scheme. The idea is that all traffic from all client sites pass through the main VPN server (server A).
All communication between clients is working (green routing paths).
BUT!!! From some reason, I the client’s A and B communicate each other by VPN server B. All routes on clients are configures. Client A site see server B site and vice versa. As well as client B site see server B site and vice versa. BUT client B site can’t reach client A site.

It makes me crazy.

I tried with other RB1100AHx2 - no change.
I tried with proxy-arp on all interfaces - no change.
I tried with different VPN types except IPSEC - no change.

Traffic between clients A and B always stuck on 10.0.2.254 (Server B).
Routing issue.PNG

idlemind · April 3, 2017, 5:03am

Ugh, so many people having issues with traffic pathing with policy based VPNs. Go routed. Build GRE tunnels, wrap them in a cozy blanked of IPSec. Win the Internet.

kurio · January 17, 2024, 4:59pm

Hello,
If people ask, it means something.
You cannot “win” under CGNAT or behind provider-specific router. These are 2 of many other reasons why people are forced to build VPNs.