Hi guys, i am guessing this is real simple but i am missing something.

I am testing this on the bench with various 2860/2925/2862, i understand you might say they are old we do not need anything fancy unless a newer router fixes this.

I have a 2 way radio system and sites are linked with vpns all going back to one site over the internet. this works fine no issues can do this all day long.

but now we want to add another radio tower that will have a wifi dish link back to the main site (which the vpns go to) (and would want internet connectivity over the same link from the main site)

I have tried a static route and for sure can link the main site and a remote tower site over static route but the remote site can not see the vpn sites (vice versa), i can put the main router behind a internet router at the main site and have a over lan vpn but i am wondering how i can do it with just one router at the main site.

I hope you can make sense of what i mean this forum wont let me upload a diagram.

I have tried adding the static route side in the more box on the vpns.
i have also ticked, Pass packets from LAN in Routing mode to VPN

but no luck with either

i am wondering do i need to add a static route for all vpn sites and ought to have tried that but thought i would ask as i do not even know if thats a thing.

My second question would be can sites have vpns to each other without creating loops or do i need ospf for this which i realise all my old routers do not have, thanks


Thanks in advance Phill in the UK

Hi Phill,

I'm still trying to get my head around your setup. Am I right in thinking the 2-way radio system is carrying the network traffic? Or is that a totally separate system that you are just mentioning for some relevant context?

Either way, if you have established WAN links between geographical locations and have also established VPN tunnels, all your traffic should be able to route to pretty much anywhere in your larger spider-chart based network.

I would be checking the 'Routing Table' on each router at each site, to make sure that every subnet you desire to reach is actually listed in those local routers. If they are not present, then that would be where I would start adding the external subnets that are based at the end of the VPN tunnel(s) of each remote site.

These remote sites (and their numerous subnets, if you have many) are only reachable from a local router, if that local router has them listed in its 'Routing Table'.

I have a 2925 and a 2862 tucked away, not in use anymore, but have knowledge of them, more so the 2862 than the 2925 as that has been out of action for some time, but all of the principles above should apply to all of your listed routers.

Make sure all of your subnets are different, across the entire spider-chart layout, and make sure you have added the "more subnets" into the VPN Profile that connects to the main (central) site from each remote site. 

Each routing table needs to show the hop to the next router that knows about that distant subnet. For example, if a subnet on Router A wants to route traffic to a subnet on Router C via Router B, then Router A needs to be told where that Router C subnet is, and that would be listed in the 'Routing Table' of Router A. Likewise, for traffic to be sent back to Router A's subnet from Router C's subnet, Router C needs to have Router A's subnet in its 'Routing Table' too.

To add these remote VPN subnets to the 'Routing Table' they need to be entered into the "more subnets" field in the VPN Profile.