Home

Forums

Stories

Knowledge Base

Business Community > Controllers > How to configure IPSec LAN to LAN VPN for multiple subnets

< Controllers

How to configure IPSec LAN to LAN VPN for multiple subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

How to configure IPSec LAN to LAN VPN for multiple subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Andy_Sch

2022-08-19 10:29:26 - last edited 2022-08-19 10:40:59

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2022-08-19

How to configure IPSec LAN to LAN VPN for multiple subnets

2022-08-19 10:29:26 - last edited 2022-08-19 10:40:59

Tags:

Hello together,

i try to find a solution, how to configure IPSec Lan 2 Lan for multiple subnets like this tutorial

-> How to configure IPSec LAN to LAN VPN for multiple subnets using the new GUI | TP-Link

We use Controller 5.4.6 as Software.

On our DC is the RTR ER7206 v1.0

Our Branches has ER605 v2.0

When I try to configure a Manual IP SecVPN the local networks are only available which a conigured as LAN Interfaces on the conrtoller.

In our Case the RTR in the DC is connected via Transfernet to a opensense Firewall. On the Firewall are the other subnets connected.

Has someone an idea how to solve the problem?

Regards

Andy

4 Reply

Somnus

LV5

2022-08-22 05:30:27

Posts: 1212

Helpful: 231

Solutions: 72

Stories: 0

Registered: 2021-06-14

Re:How to configure IPSec LAN to LAN VPN for multiple subnets

2022-08-22 05:30:27

@Andy_Sch Hi

10.10.40.0/24 is your opensense Firewall network? And "Omada" is the tplink router connected to the opensense Firewall?

If so, tplink router's VPN won't let you access 10.10.40.0/24. Tplink router can only create VPN tunnel between two tplink router's LAN networks. From what I understanding, 10.10.40.0/24 is on tplink router's WAN side

Andy_Sch

LV1

2022-08-22 06:28:45

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2022-08-19

Re:How to configure IPSec LAN to LAN VPN for multiple subnets

2022-08-22 06:28:45

@Somnus

Hi thank you for your answer.

No ! 10.10.40.0/24 and the other private Networks are on den LAN Side!

The Router is parallel connected to the WAN IF of the Firewall in a /29 Public IP Network.

The LAN Port of the RTR is connected via an internal Transfer Network to the firewall to connect to the Internal Networks.

d0ugmac1

LV5

2022-08-24 00:12:25

Posts: 2156

Helpful: 807

Solutions: 195

Stories: 0

Registered: 2022-03-05

Re:How to configure IPSec LAN to LAN VPN for multiple subnets

2022-08-24 00:12:25

@Andy_Sch

It should be enough to divide and conquer. Treat each Branch-DC VPN tunnel as it's own entity...so local subnets are those attached to LAN ports, and remote subnets are those that are reachable via the VPN tunnel connected to the WAN. As is that would let each branch site talk to the DC, but not each other. Now add Site B and C's addresses to the remote subnets for Site A's VPN tunnel and let the 7206 do the hairpin routing between tunnels at the DC for you. Repeat for sites B (A+C) and C (A+B).

<< Boycotting this site and these products until CANADIAN firmwares get some love >>

Andy_Sch

LV1

2022-08-26 07:14:25

Posts: 5

Helpful: 1

Solutions: 0

Stories: 0

Registered: 2022-08-19

Re:How to configure IPSec LAN to LAN VPN for multiple subnets

2022-08-26 07:14:25

After a long time of testing and experimenting, I have come to the conclusion that I will do without the central ER7206, as the limited functionality is too great.

I have now chosen my setup so that the ER605s in the offices terminate on the central opensense firewall via IPSec ikev2. This way I can also map the pseudo star topology for the VPN. Currently I am still stuck on the point that with IP Sec on a TP Link router in a VPN policy a maximum of 5 remote subnets are possible. But through clever subnetting, I will also be able to circumvent this issue.

I also got an answer from support about my issue after 5 days:

"If we understand correctly, you have multiple ER605s each creating a VPN with ER7206 and want the ER605s to be able to communicate with each other, in a pseudo star topology.

This is not possible with the Omada routers, in order to create a connection between each ER605 you need to create a VPN tunnel between each of them.

Thank you for your support and confidence in our product. "

I found the answer a little poor. When I asked about it, I have not yet received an answer.

I am also surprised that dynamic routing is missing on the routers.

I was actually on the verge of throwing TP-Link out again. However, I am convinced of the controller and the simplicity for my colleagues.
The only way now is to take the complexity out of the network again and build everything according to the motto Keep it Simple and hope that it doesn't become insecure.

I hope that I will get further with this path.

Andy

How to configure IPSec LAN to LAN VPN for multiple subnets

How to configure IPSec LAN to LAN VPN for multiple subnets

Information

Voters 0

Tags