BO to BO routing

[Opsimex]

Running a Nortel 1010 @ main office & BSR222 at my BOs – 222s connect to the 1010. Tunnels are up and running, everything is solid – EXCEPT I can’t pass traffic between remote subnets – branch office to branch office.

I have turned on items under System->Forwarding on the 1010.

Pings (times out) and tracerts (gets to local gateway, then times out) from any subnet to another subnet are ending up in the bit bucket.

Any ideas on where else to look?

Thanks.

[Michael McNamara]

Hi Opsimex and welcome to the forums.

Here's a document from Nortel that should help you review your configuration. It's written for the CES 221 and 251 (older siblings of the BSR 222) but is still relevant.

Nortel VPN Router Configuration Contivity 221 251.pdf

I hope to post some additional documents tomorrow.

Let us know who you make out.

Cheers!

[Opsimex]

Thanks. I'll take a look at it.

[Opsimex]

Michael,

OK, reviewed the document you linked to. All familier stuff. My original post may not have been as clear as it could have been. I have a central office and 3 remotes sites, A, B & C. They all currently enjoy excellent BO tunnels into the central office. The issue is although remote sites A,B & C can all talk to the central office and the central office can talk to all the remote sites, A can't talk to B or C, B can't talk to A or C, and so on.

A ping or tracert from A to B or C, will hit the bit bucket. Ditto any combo of x to y or z. I even added (out of desparation more than anything) static routes on each of the 222's to the respective subnets for the other remote offices. [shrug]

[Michael McNamara]

That's quite a different story...

How did you setup your networks and routing? From your remote sites are you routing everything (0.0.0.0) back to your main office? Or are you just routing a specific network? Do you have IPsec tunnels setup between each of your remote offices in a mesh type of configuration?

Example;
 Main Office IP Network: 10.1.0.0/16
 Remote Site 1 IP Network: 10.2.1.0/24
 Remote Site 2 IP Network: 10.2.2.0/24
 Remote Site 3 IP Network: 10.2.3.0/24

You need to have an IPSec tunnel configured on the VPN router at Site 1 for Site 2 and Site 3, or you need to have a supernet 10.2.0.0/16 configured to route through your main office site.

Also in the GUI under System -> Forwarding you have enabled 'Branch Office Tunnels' under Proxy ARP and then you have enabled 'Allow Branch Office to Branch Office' under Tunnel to Tunnel Traffic.

Hopefully that makes sense.

Good Luck!

[Opsimex]

No, I do not have the BOs routed to 0.0.0.0.

This is a good example (per you) of my current setup;
 Main Office IP Network: 10.1.0.0/16
 Remote Site 1 IP Network: 10.2.1.0/24
 Remote Site 2 IP Network: 10.2.2.0/24
 Remote Site 3 IP Network: 10.2.3.0/24

"Also in the GUI under System -> Forwarding you have enabled 'Branch Office Tunnels' under Proxy ARP and then you have enabled 'Allow Branch Office to Branch Office' under Tunnel to Tunnel Traffic." This is done.

"or you need to have a supernet 10.2.0.0/16 configured to route through your main office site." Now this caught my attention. I'll give this a shot.

Thanks.

[Opsimex]

I said '"or you need to have a supernet 10.2.0.0/16 configured to route through your main office site.' Now this caught my attention. I'll give this a shot."

Except, I am not sure I understand how to implement on the 1010 or if it supoprts it without the Advanced Routing License Key.

[Michael McNamara]

You need to add additional IP networks in the tunnel configuration on each endpoint. If you already have one IP network you need to add another IP network for each additional remote site.

Example; in the BSR222 for site 1 you need IP network (routes) for the following;

 10.1.0.0/16 (Main Office)
 10.2.2.0/24 (Remote Site 2 IP Network)
 10.2.3.0/24 (Remote Site 2 IP Network)

The BSR222 needs to have a route to reach 10.2.2.0/24 and 10.2.3.0/24 if you want to communicate with those sites. You can either tunnel that traffic back to your main office VPN router or you can add additional IPsec connections between the remote sites themselves. Unless your remote offices sites have static public IP addressing adding additional IPSec connections between them isn't really going to be feasible.

When you trace route 10.2.2.1 from Remote Site 1 (10.2.1.0/24) where does the traffic go? I'm guessing that it goes out to the public Internet. You need to get it to go to your main office where it can be routed back to that site, or you need to setup an additional IPsec tunnel directly to that remote site.

Cheers!

[Opsimex]

This has been resolved. I changed the subnet mask on the network the Nortel 1010 lives on to 255.255.248.0. I then changed the remote subnets to fit within that mask, only using 255.255.255.0 at the remote sites with static routes to all other 255.255.248.0 subnets in use.

Example - main site is set to 10.10.1.0 mask 255.255.248.0  DHCP hands out 10.10.1.50-10.10.1.100

Site A is 10.10.2.0 mask 255.255.255.0 DHCP hands out 10.10.2.50 - 10.10.2.100
BSR222 static routes to .1.0 & .3.0 using .2.0 gateway (BSR222 addy)

Site B is 10.10.3.0 mask 255.255.255.0 DHCP hands out 10.10.3.50 - 10.10.3.100
BSR222 static routes to .1.0 & .2.0 using .3.0 gateway (BSR222 addy)

So far, traffic is fine, SIP works.

One Nortel 1010 -  5 BSR222.

[Michael McNamara]

Thanks for posting a follow-up!

Glad to hear you got it working!