Setting up a site to site VPN on OC200
Hey everyone,
Looking for a little help on a site to site vpn I'm setting up between my house and the in-laws.
So I have dyndns account for my house, so I'm hoping to set up the ER7206 on my end as the VPN Server and I also got the OC200. But I'm a bit lost on the whole process, most of the guides I've looked at don't really seem to line up with the options available within the GUI of the Omada app.
Anyone have a good guide for this setup with Omada?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
If you don't have static IP's on both ends, you cannot do an Omada-controlled site-site VPN. However, you can setup an L2TP/IPsec client-site VPN with subnet routing if the server end has an updateable dyndns name, and the client end becomes the VPN initiator. Create the L2TP server on your end, and the L2TP client at the in-laws.
- Copy Link
- Report Inappropriate Content
Ok so I tried doing L2TP at the beginning and didn't have any luck in getting the routers to talk. But I also tried setting it up as PPTP and could ping both ends of the VPN tunnel, but nothing beyond it (like their printer).
Here is a diagram of how I've got the test connections set up:
- Copy Link
- Report Inappropriate Content
I can guarantee you that what you are trying to do will work :)
Couple of things though...you CANNOT replicate IP subnets on both sides of the tunnel like you have done with 192.168.0.X/24...so fix that for starters.
The other trick is to enable the 'route' mode of the L2TP Client-Server setup. Here is my User account as defined at my server end:
and at the client end, this is my VPN entry (sorry for all the redaction!)
Per above the Username/Password should match what was defined on your Server instance. Make sure you use 'Routing' mode.
For Remote Server, this is where you put the dyndns name of your Server's public IP.
Remote Subnets should include those subnet(s) at the server site that you want to make routable at the client site.
Local Networks should include those Remote Subnet entries you included in your client definition above but via local controller LAN names.
- Copy Link
- Report Inappropriate Content
Thank you for getting back to me.
***Great news, my DynDNS account allows me to creat up to 30 different address, so I can give me remote site its own DynDNS address!
So I just want to check my understanding on what you said, so my IP pool being 192.168.30.1 on both ends is a problem? Should I set it up like this?
- Copy Link
- Report Inappropriate Content
You only need 1 dyndns name and that's for the server.
You have site-to-site in your table and that should be client-site
YourHouse is the Server, here's my definition of the Server VPN, you have the VPN User definition on the server in the above post.
Your .10.x and .15.x no longer match your diagram above, however suffice it to say you don't want identical subnets visible to your ER605's, and per your diagram you had your local (Server) client subnet as 192.168.0.x and you also had the in-laws Rogers modem subnet as 192.168.0.x. My suggestion here is to reconfigure the in-laws 7206 to use 192.168.3.x to keep things unique.
I see you are planning to use 192.168.15.x for the VPN IP pool...that's fine...you can pretty much use any subnet you want. However, you shouldn't have any 'Remote Gateway' settings to configure, that will done automagically by Omada for you.
In my scenario, I have bridged the cable modem to the router at one end, and I have a PPPoE session setup through the FTTH at the other end. This means i essentially have public (dynamic) IP's on the WANs of both my routers. However, this is not necessary, you can and probably should, just make the routers the DMZ for each modem and call it a day, or if not willing to do that, then make SURE you have forwarded all the ports necessary for L2TP and IPsec from the modem to its respective router.
Now in your case:
Server: LAN=192.168.0.0/24, remote subnets 192.168.1.0/24
Client: LAN=192.168.1.0/24, local subnets 192.168.1.0/24
If I understand correctly, you want to be able to reach 192.168.1.x from your house, and have the in-laws reach 192.168.0.x from their house.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2145
Replies: 6
Voters 0
No one has voted for it yet.