IPsec Policy with two remote subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

IPsec Policy with two remote subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
IPsec Policy with two remote subnets
IPsec Policy with two remote subnets
2022-04-13 14:33:05 - last edited 2022-04-14 06:25:40
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.0.1 Build 20210113 Rel.35468

I would like to add a second remote subnet to my running IPsec tunnel (LAN-to-LAN, same WAN interface, same remote gateway). Unfortunately, in the router GUI it doesn't seem to be an option to create a policy with more than one remote subnet. Also adding a second policy with the same configuration but a different remote subnet fails. I would appreciate anyone sharing ideas or experiences on this.

 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:IPsec Policy with two remote subnets-Solution
2022-04-14 06:24:50 - last edited 2022-04-20 15:22:15

Hi  @RobertWa 

 

With Omada Controller we can add more than one remote subnet. I take a screenshot: 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#3
Options
8 Reply
Re:IPsec Policy with two remote subnets
2022-04-13 16:57:25 - last edited 2022-04-20 15:22:22

  @RobertWa 

 

you need to create a new VPN policy exactly the same as the one you have, but with the new remote subnet.

One VPN profiles for each remote subnet.

If you use IKEv2 you can add several remote subnets but this I have never been able to work against Cisco only with another ER7206 or ER605

 

So I have to do the same with IKEv2 between ERxxx and Cisco Firewals, other brand have I not tested with Site to Site VPN.

 

And you have very old firmware on your router, try to upgrade then you have more VPN option, 

 

 

 

  0  
  0  
#2
Options
Re:IPsec Policy with two remote subnets-Solution
2022-04-14 06:24:50 - last edited 2022-04-20 15:22:15

Hi  @RobertWa 

 

With Omada Controller we can add more than one remote subnet. I take a screenshot: 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#3
Options
Re:IPsec Policy with two remote subnets
2022-04-20 15:21:59

Thanks @shberge! IKEv2 is def necessary for multiple subnets. But even after firmware upgrade I was not able to establish connection. But I am working against a Fortigate 1500 D, maybe that's the issue.

  0  
  0  
#4
Options
Re:IPsec Policy with two remote subnets
2022-04-20 15:23:03

Thank you  @Hank21 - With Omada Controller I was able to add multiple subnets.

  0  
  0  
#5
Options
Re:IPsec Policy with two remote subnets
2022-04-20 15:41:12

  @RobertWa 

it is probably the same as I struggled with against Cisco firewall,

I have to create a VPN profile for each subnet to make it work, so if you have two remote subnets you need two VPN profiles on ER7206

it is the same on IKEv1 and IKEv2, although you can define several subnets on IKEv2 it does not work against Cisco.

 

On Cisco Firewall, I only need one VPN profile

 

There are a lot of VPN bugs on TP-Link but it works if you do it this way, at least against the Cisco firewall.

I have not tested against anything else so I do not know if it is the same on your firewall

 

 

 

 

 

 

 

 

 

 

  0  
  0  
#6
Options
Re:IPsec Policy with two remote subnets
2022-08-26 07:03:32

  @Hank21 Could it be, that there is a limit of max 5 remote Subnets? 

 

That´s a problem ! 

 

BR 

Andy

  0  
  0  
#7
Options
Re:IPsec Policy with two remote subnets
2022-08-26 10:18:13

Dear  @Andy_Sch 

 

Yes, currently the limitation is 5 subnets. 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#8
Options
Re:IPsec Policy with two remote subnets
2022-08-29 12:25:44
And what to do if you have more than 5 remote subnets, which are not able summarize into subnets. A second VPN Profile is not possible in case of the uniqe peer gateway Adress. It is not so easy.
  0  
  0  
#9
Options