L2P VPN client needs to access primary subnet... How?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

L2P VPN client needs to access primary subnet... How?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
L2P VPN client needs to access primary subnet... How?
L2P VPN client needs to access primary subnet... How?
2017-10-04 08:50:31 - last edited 2021-08-21 05:56:11
Model :

Hardware Version :

Firmware Version :

ISP :

I have a TL-ER6120 router using subnet 192.168.10.0/24

I need to be able to VPN into it and get access to all devices on the main subnet.
When I created the VPN I was forced to specify a different subnet for it's IP pool. (I used 172.168.10.20 - 172.168.10.29)
I can connect just fine, but cannot access any device on the 192.168.10.0 subnet.

There is also a site-to-site IPSec VPN which connects to a second location. It's subnet is 192.168.0.0/24
I know that I SHOULD be able to also reach devices by connecting client-to-lan and access any device on either the 192.168.10.0 or the 192.168.0.0 subnet.

Altho I am not formally trained, I know enough to be dangerous in most cases.
Does this require static routes to be set?

* During the setup I read that I needed to add the subnet for my VPN IP Pool to the Multi-nets NAT tab.
I do, in fact, have an entry there for 172.168.10.0/24

Ultimatellly I would have preferred to specify and IP pool on the 192.168.10.0 subnet, but apparently the TL-ER6120 doesn't like that. (And yes, I tried setting a pool on this subnet outside of the DHCP pool)

If anyone can shed some light that would be great.
Thanks
  0      
  0      
#1
Options
5 Reply
Re:L2P VPN client needs to access primary subnet... How?
2017-10-08 17:18:23 - last edited 2021-08-21 05:56:11

Stomp wrote




I have a TL-ER6120 router using subnet 192.168.10.0/24

I need to be able to VPN into it and get access to all devices on the main subnet.
When I created the VPN I was forced to specify a different subnet for it's IP pool. (I used 172.168.10.20 - 172.168.10.29)
I can connect just fine, but cannot access any device on the 192.168.10.0 subnet.

There is also a site-to-site IPSec VPN which connects to a second location. It's subnet is 192.168.0.0/24
I know that I SHOULD be able to also reach devices by connecting client-to-lan and access any device on either the 192.168.10.0 or the 192.168.0.0 subnet.

Altho I am not formally trained, I know enough to be dangerous in most cases.
Does this require static routes to be set?

* During the setup I read that I needed to add the subnet for my VPN IP Pool to the Multi-nets NAT tab.
I do, in fact, have an entry there for 172.168.10.0/24

Ultimatellly I would have preferred to specify and IP pool on the 192.168.10.0 subnet, but apparently the TL-ER6120 doesn't like that. (And yes, I tried setting a pool on this subnet outside of the DHCP pool)

If anyone can shed some light that would be great.
Thanks


I want confirm your demand firstly.
There are three different lan: LAN1 is 192.168.10.0/24,LAN2 is172.168.10.0/24, LAN3 is 192.168.0.0/24
You hope LAN3 can communicate with LAN1 and LAN2 via IPSec. LAN2 and LAN1 can access with each other and internet.
If this is your demand. You need configure two IPsec tunnel , multi-nets NAT and static routing in ER6120
IPSec tunnel: LAN3 t0 LAN1, LAN3 to LAN2
Multi-nets NAT: if you do not configure, LAN2 can not access internet via ER6120
static routing: you still need configure static routing in your layer 3 switch.TL-ER6120(192.168.10.0)----(192.168.10.0)Layer3 switch(172.168.10.29)
For Multi-nets and static routing, I found there are FAQ in tp-link website( http://www.tp-link.com/en/faq-887.html)
  0  
  0  
#2
Options
Re:L2P VPN client needs to access primary subnet... How?
2017-10-09 11:40:53 - last edited 2021-08-21 05:56:11
Your routing via VPN is specified in the IPSEC config. You should be able to access whatever network your VPN specifies. No static routing should be necessary. Note that the VPN config has to be complimentary on either side, or there will be mismatched routing. You can VPN to a specific IP address eg /32 or a subnet /24.
  0  
  0  
#3
Options
Re:L2P VPN client needs to access primary subnet... How?
2017-10-11 08:21:31 - last edited 2021-08-21 05:56:11
OK - Maybe I wasn't clear....


Router #1 - 192.168.0.0/24
VPN IP Pool - 192.168.5.20 - 192.168.5.29 (I discovered that I COULD in fact reach the primary subnet if the first 2 positions are the same.)

Router #2 - 192.168.10.0/24
VPN IP Pool - 192.168.15.20 - 192.168.15.29

There is a site-to-site IPSec VPN between the 2 routers. This is working just as expected.
If I initiate a client-to-lan VPN connection to one of them, I should be able to talk to either the 192.168.0.0/24 or the 192.168.10.0/24 subnets. This does not seem to be the case.

I think the problem is that the 6120 will NOT allow me to specify a client-to-lan VPN IP pool on the main subnet for the given router. With other routers I could, for example, have a main subnet of 192.168.0.0/24 with a DHCP range of 100-199 and then specify a VPN IP Pool such as 192.168.0.20-192.168.0.29.
I am forced to select a different subnet for the client-to-lan VPN IP Pool, such as 192.168.5.20-192.168.5.29 in the case of router #1. When I do it this way, I can see the devices on the primary subnet (192.168.0.0/24) but I CANNOT see devices on the other side of the site-to-site VPN.

Hope this makes more sense.
  0  
  0  
#4
Options
Re:L2P VPN client needs to access primary subnet... How?
2017-10-11 10:31:17 - last edited 2021-08-21 05:56:11
Just confirmed...

Site-to-site VPN is active between both routers. If on-site, I can reach either routers main subnet. (as expected)

Connected remotely to Router 1 via client VPN - I can reach 192.168.5.0/24 (the subnet for the client VPN pool) and 192.168.0.0/24 (main subnet on router 1)

Connected remotely to Router 2 via client VPN - I can reach 192.168.15.0/24 (the subnet for the client VPN pool) and 192.168.10.0/24 (main subnet on router 2)

Cannot reach Router 2's main subnet if connected with client VPN to Router 1.
Cannot reach Router 1's main subnet if connected with client VPN to Router 2.
Thinking I need a static route in each from the remote client VPN subnet to the main subnet of the secondary router.
eg. I connect to Router 1 remotely (192.168.5.20) so adding a static route from 192.158.5.0/24 to 192.168.10.0/24 (the opposite side of the site-to-site VPN)
  0  
  0  
#5
Options
Re:L2P VPN client needs to access primary subnet... How?
2017-10-12 07:14:44 - last edited 2021-08-21 05:56:11
You could try configuring your VPNs to use a /16 subnet instead. This could solve the problem- it works with some router router brands, but may not work with the T-P link. I do not expect a L2Tp tunnel to connect to the foreign router via IPSEC unless you configure the tunnel subnets appropriately.
  0  
  0  
#6
Options