Problem: Windows 10 can't reach an IP host behind two routers, where the path is specified in static routes.
Windows has the following setup:
Windows Host (192.168.3.1/24 for the local LAN with default gw 192.168.3.254/24 and
10.0.0.101/28 for the VPN to the secured systems) ->
VPN Router (10.0.0.97/28 - IP on Windows host's end) ->
Security Router (10.212.69.3 - behind VPN endpoint) ->
Target host (100.102.1.136 - somewhere behind Security Router)
I have the following static routes defined on the Windows host:
(Note: The Windows system is set to German locale, so I translated the most-difficult-to-understand parts into English manually)
IP Netmask Gateway Metric
0.0.0.0 0.0.0.0 192.168.3.254 Standard
100.102.0.0 255.254.0.0 10.212.69.3 1 <<- Target network
10.212.69.3 255.255.255.255 10.0.0.97 2 <<- Security Router behind VPN
When I ping the target host 100.102.1.136 I would expect the IP package to go from the Windows host to the VPN router, through the VPN tunnel, to the Security router and from there to the target network. It does, however, go directly to the default gateway of the Windows network (192.168.3.254), where - of course - it can't be processed.
I can ping the Security Router (10.212.69.3), so that is working fine, but Windows is chosing the wrong path for the target behind the Security Router
C:\>tracert 100.102.3.136
Routenverfolgung zu 100.102.3.136 über maximal 30 Hops
1 <1 ms <1 ms <1 ms fritz.box [192.168.3.254]
2 p4fabf621.dip0.t-ipconnect.de [62.155.246.33] meldet: Zielnetz nicht erreichbar.
C:\>tracert 10.212.69.3
Routenverfolgung zu 10.212.69.3 über maximal 30 Hops
1 8 ms 7 ms 8 ms 10.0.0.97
2 9 ms 8 ms 8 ms 10.212.69.3
What am I missing?
This is the route print and ipconfig output
IPv4-Routentabelle
===========================================================================
Aktive Routen:
Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 192.168.3.254 10.0.0.101 281
10.0.0.96 255.255.255.240 On-Link 10.0.0.101 281
10.0.0.101 255.255.255.255 On-Link 10.0.0.101 281
10.0.0.111 255.255.255.255 On-Link 10.0.0.101 281
10.212.69.3 255.255.255.255 10.0.0.97 10.0.0.101 27
100.102.0.0 255.254.0.0 10.212.69.3 10.0.0.101 26
127.0.0.0 255.0.0.0 On-Link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-Link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-Link 127.0.0.1 331
188.144.0.0 255.254.0.0 10.212.69.3 10.0.0.101 26
192.168.3.0 255.255.255.0 On-Link 10.0.0.101 281
192.168.3.1 255.255.255.255 On-Link 10.0.0.101 281
192.168.3.255 255.255.255.255 On-Link 10.0.0.101 281
224.0.0.0 240.0.0.0 On-Link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-Link 10.0.0.101 281
255.255.255.255 255.255.255.255 On-Link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-Link 10.0.0.101 281
===========================================================================
Persistent routes:
Netzwerkadresse Netzmaske Gatewayadresse Metrik
0.0.0.0 0.0.0.0 192.168.3.254 Standard
100.102.0.0 255.254.0.0 10.212.69.3 1
10.212.69.3 255.255.255.255 10.0.0.97 2
===========================================================================
Windows-IP-Konfiguration
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein
Ethernet-Adapter LAN1:
Beschreibung. . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection #2
DHCP aktiviert. . . . . . . . . . : Nein
IPv4-Adresse . . . . . . . . . . : 10.0.0.101(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.240
IPv4-Adresse . . . . . . . . . . : 192.168.3.1(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.3.254