Hub-and-Spoke VPN using Window Server 2008 R2 and RRAS

Hi,

I am trying to create a simple VPN hub-and-spoke topography. I have managed to get quite a long way and the following diagram shows what I have been able to build thus far:

As you can see, the hub is a Windows Server 2008 R2 box running RRAS. The spokes with either be Dreytek routers with a number of PCs (or other devices) on the LAN behind them or PCs dialling in directly to the server. All of this works as expected exceptfor the fact that none of the LAN devices at the spokes are able to communicate with the devices at the other spokes. For example, the direct dial-in PC (192.168.1.11) cannot communicate with 192.168.3.1 or 192.168.10.1.

Things that I have tried and work:

• All of the LAN devices can ping any of VPN addresses (so, for example, the direct dial-in PC can ping 10.0.0.1, 10.0.0.4 and 10.0.0.5).
• I have enabled Syslog on the Draytek routers and can see the ICMP traffic through the firewall when the 10.0.0.x address of the router is pinged (for example, if I ping 10.0.0.5 from the direct dial-in PC, I can see the firewall allowing the ping).
• I have added static routes to the Dreytek routers (for example, on the 10.0.0.5 router, I have added a route for 192.168.1.0 / 24 and 192.168.3.0 / 24 routing via 10.0.0.1).
• I have added static routes to the direct dial-in PC for 192.168.3.0 / 24 via 10.0.0.4 and 192.168.10.0 / 24 via 10.0.0.5
• I have added static routes to the server for each LAN at the end of the spokes (for example, I added a route for 192.168.1.0 / 24 to route via 10.0.0.2, and 192.168.10.0 / 24 via 10.0.0.5). I am having trouble persisting these routes so that they re-establish if the VPN connection drops and re-connects.

Things that don't work:

• The server is unable to ping any of the LAN PCs (for example, it can't ping 192.168.10.1 or .2 etc.).Syslog on the routers does not see any ICMP traffic.
• The client PCs are unable to ping any remote PCs (for example, 192.168.10.x PCs cannot ping 192.168.3.x PCs or the direct dial-in client at 192.168.1.11).

If a use tracert or pathping, it does look like the traffic istrying to go via the server but it never gets there. For example:

C:\Users\Administrator>pathping -n 192.168.10.2

Tracing route to 192.168.10.2 over a maximum of 30 hops

  0  10.0.0.1
  1  10.0.0.5
  2     *        *        *

I am really at a loss as to what to do next. It must be possible to get this working... I have found so many articles about this topic but nothing seems to address this particular problem. So I guess my two main questions are:

1. What am I missing to get the remote LAN PCs to be able to communicate with each other?
2. What do I need to do to persist the routes via the VPN clients to their LANs?
3. Can I avoid static routes completely and use dynamic routes?  I have tried using RIP but the RIP multicasts come in over the VPN (I have seen this using Wireshark) and I can't create RIP on the "Internal Interface".

One idea that I've had... Could the problem be anything to do with IPv6? When I was experimenting, I tried disabling it using Microsoft Fixit 50409. After I did this, neither the routers nor the direct dial-in W7 client were able to establish a VPN connection until I re-enable it... I had assumed that all traffic would be IPv4 but perhaps I'm wrong?

Many thanks!