Cannot make L2TP/IPSEC work between 2 ER605 under SDN Controller v5
Latest ER605 firmware v1.2.0 on both. Omada OC200 Controller running 5.0.30.
I have 1 public IP (HQ) and 1 CGNAT IP (Branch). Basically there is no option to forward ports to a public IP at the Branch site which from what I can see means I have no ability to do an IPSEC Branch-to-Branch VPN (as IP's must be known and fixed at either end).
I have configured the L2TP Server at HQ (Controller#1-soft) and I have configured the L2TP client at Branch (Controller#2-OC200)., both controllers are at 5.0.30.
The Branch L2TP.Client connects flawlessly to the Server and the connection is quite robust, but there are several issues:
Routing performs perfectly, but i had to had reduce the Branch MTU (Wired Network->WAN->Advanced Settings) to 1400 to get anything more than pings across the link (I just picked a number I knew would make a difference if this was the issue...I'm sure 1460 might be possible too). This seemed to cause the router to reboot or at least go offline for a painful period of time. I looked for any kind of FW rule that might not permit fragmentation, but I couldn't see any that were active.
Now, I also cannot for the life of me make the IPSEC encryption work. I was able to make this work when HQ was still operating in standalone mode and Branch was under Omada control, but once HQ converted to a controller, I was no longer able to use IPSEC over the L2TP tunnel. The SA comes up fine every time, but the tunnel no longer establishes...and there are zero error messages to give a hint as to why in the event logs.
My main purpose is to VLAN a port on my switch and route it back over the L2TP connection to HQ. This seems quite easy to do, and I've test configured the Routing Policy to do this and the VPN 'WAN' interface shows up like you would expect. I tried to do the reverse, ie default route a switch port at HQ back over the VPN...however, this was not possible as the Omada SDN doesn't see the 'Server' end as a WAN option.
If anyone can offer insights into how I can clean this up, or if there are fixes for the MTU (fragmentation) and IPSEC issues I'm all ears!