PepVPN - no devices on other side visible


#1

Trying to stumble my way through this but am having difficulties with the subnet connections: I cannot see devices on the other subnet from either one. From forum reading, I am guessing this is a static routes or NAT issue, but I have enough questions to post it. Networking is not my strong point, but i am comfortable with much of it given enough direction.

Layout:

Site 1: ISP static_ip1 – PepWaveSoho - LAN 192.168.0.0 /24 - does not need bonding capability but does need VPN

  • firmware 6.2.2

Site 2: ISP static_ip2 – Balance380 – FW - LAN --10.1.0.0/22

  • Balance 380 has firmware 6.1.2
  • this is the main site with ~300 devices, but only 2 or 3 need the PepVPN connection to site1
  • has DHCP and DNS on local server (with AD)
  • has 3 WAN connections, Drop-In mode on WAN2
  • FW firewall is Cisco5510

GOAL: I need to be able to share files from Site1 server to just 3 PCs on Site2.

I established a point-to-point PepVPN connection between them easily. It shows some minor traffic as per InControl2 and tests fine.

I can ping both Peplink devices and gateways from either side. I allowed firewall access to ports (tcp 32015, UDP 4500) from both sides. I set up a static route on site2 for the 10.1.0.0/22 subnet pointing to Gateway=static_Ip2

PROBLEM: I cannot see any device on the other side of the VPN from either end (not visible site1 to site2); no pings, no file shares, nada.

What else do I need to do? (perhaps enable DHCP on the pep device/s)? What did I do wrong? (perhaps no need for a static route on the Balance 380?)

I followed the guide http://www.peplink.com/knowledgebase/design-and-implement-peplink-speedfusion-site-to-site-vpn-with-drop-in-mode/ but in this case, the Wave SOHO does not have drop in mode (not that I think this makes much difference, but the guide was good for design).

Thanks for the help.


#2

Hello,

Static Route will be needed, telling 10.1.0.0/22 network to use FW WAN IP as GW.

You will also, need to create 2 NAT Exempt Policies in your FW.

  1. Source 10.1.0.0 /22 Destination 192.168.0.0 /24
  2. Source 192.168.0.0 /24 Destination 10.1.0.0 /22

Normally local traffic going from 10.1.0.0 /22 network will get a NAT applied to it when going out the local WANs so with the 2 above NAT Exempt Policies, this will basically apply a no NAT rule for traffic going over the tunnel between the two networks.

Also, since the FW is on the inside of the Balance and the VPN is terminated on the outside of the FW, you will not need to open TCP 32015 and UDP 4500 on the Cisco.


#3

So this issues is resolved. I removed the CISCO FW from our network since it was due for retirement anyway (next year) and added those rules to the B380 and SOHO. Once that was done, and Drop-In mode removed, all connections including PepVPN were fine and devices are visible on both ends.

The assistance is appreciated.