VPN access behind Router

Hello,
we have a Layer 3 Router (Siemens XM408) behing a Flexy205.
There is a Static Routing Table in the Flexy adding the XM408.
There is also a Static Routing Table adding the Flexy as the Gateway in the XM408.
When connected to one of the Lan Port of the Flexy and putting the XM408 as Gateway, I have access to all the devices behind the XM408, wich is what we want.
But when connected throu eCatcher, I only can reach the XM408 itself, I can’t have access to anything behind it…

Anyone had that kind of issue?

thanks,
Jonathan

Have you considered the return route? I think you are going to need to add another route back through the VPN in order for packets to be returned properly.

Flexy
IP adress = 172.16.95.1
Route = Destination: 172.16.0.0 Mask: 255.255.0.0 Gateway: 172.16.95.3

XM208
IP adress = 172.16.95.3
Route = Destination: 0.0.0.0 Mask: 0.0.0.0 Gateway: 172.16.95.1

It is our current setup.
Is this what you mean?

That looks right. What is the default gateway for the LAN devices connected to the switch?

They actualy have the XM208 Vlan gateway.
We are doing Vlan Routing.
Ex: Vlan 97 devices have the 172.16.97.254 gateway

Is there a XM208 and a XM408? Are they both on the LAN side of the Flexy? Is there a network diagram by any chance?

Sorry, my bad, it was a Typo, it should have been the XM408…
But here is quick overview of the current setup:

Try this:

-add a route on the eCatcher PC to reach the device network

-add a route in the ewon in the static route table to reach the device network

Adding a Route on my Laptop have work.
I’ve add my subnet 172.16.96.0 as destination network and the VPN adress 10.95.236.160 as Gateway.
It is a starting point and work around.

Is the VPN adress always the same for each devices?
Where is it defined?

thanks

So the VPN IP is assigned to your device so it normally stays the same. That said, we can’t guaranty that at some point it could change, but it’s normally going to stay the same.

There is no way to assign it a static and permanent IP address unfortunately.

Asking all our technician to add route each time they need to have access on a customer site isn’t really a suitable solution.g

Is there a way to have access to advanced parameter in eCatcher that would allow us to modify the VPN driver setting?
That way, the routing table could be automaticaly created.

Or what is the prefered/proposed solution of eWON when needing to have access to bigger system, not only small machine?

I understand. The Ewon devices were originally designed to connect to a single machine network, not for a more complex network with multiple VLANs or subnets. We do have workarounds, but they aren’t always as easy as most customers would probably like. We can certainly submit a feature request for a future firmware release however.

I’m going to escalate this issue to get some more feedback on potential solutions, and I’ll let you know what I find.

thanks!
That would be great!

Good morning Kyle, I’ll continu other post discussion here to not duplicate them as the other one was already closed.
Do you have a bit more info, procedure or example on how to:
Modify the Talk2MClient.ovpn config file in eCatcher folder C:\Program Files (x86)\eCatcher-Talk2M\Talk2mVpnService\conf to request OpenVPN to add a route.
It seams the best promising work around for us for now until a solution come out.

thanks

@jfortier,

You can add a route to .ovpn config file by just adding this line:

route [IP address] [subnet mask]

For example:

route 172.16.96.0 255.255.255.0

You’ll also want to be sure you add the static route in the Ewon configuration so it knows the IP address of your gateway, because I don’t think you can add another gateway in the .ovpn file. Please let me know if this works because I haven’t had a chance to test it yet.

Thanks!

Kyle

Good morning, have you had a chance to try it on your side?
I’ve tryed to add your example in the .ovpn config file, but it doesn’t add any route to the PC when we connect to the eWON from eCatcher…

I’m actually having the same issue. I also tried:

route-up "C:/Windows/System32/ROUTE.EXE ADD 10.213.19.150 MASK 255.255.255.255 10.213.19.150"

But that also is not working. I’m looking into it.

I think it may be a permissions issue and the following line needs to be added to the .ovpn file:

script-security 2 system

Then add your route:

route 192.168.33.0 255.255.255.0 10.0.33.1

will test tomorrow-

Kyle, you are the man!
We are on a good path! :slightly_smiling_face:

2 minor thing to add to that config file:

  • remove the route when we close the connection. The added route remains on the laptop when we close the eWON VPN connection in eCatcher. The default eCatcher route is removed automatically. Probably just another line with a route delete that need to be added on eCatcher connection closing.
  • replace the gateway in the route command by the eWON VPN address variable. The VPN address is different from eWON to eWON and can change over time from what I understand. We “just” need to figure out what is the VPN address of the connection and put that variable in the route table.

2 excellent points - I’ll get to work on that!