How to configure IPSec LAN to LAN VPN for multiple subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

How to configure IPSec LAN to LAN VPN for multiple subnets

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
How to configure IPSec LAN to LAN VPN for multiple subnets
How to configure IPSec LAN to LAN VPN for multiple subnets
2022-08-19 10:29:26 - last edited 2022-08-19 10:40:59
Tags: #VPN

Hello together,

 

i try to find a solution, how to configure IPSec Lan 2 Lan for multiple subnets like this tutorial

 

-> How to configure IPSec LAN to LAN VPN for multiple subnets using the new GUI | TP-Link

 

We use Controller 5.4.6 as Software.

 

On our DC is the RTR ER7206 v1.0

Our Branches has ER605 v2.0

 

When I try to configure a Manual IP SecVPN the local networks are only available which a conigured as LAN Interfaces on the conrtoller.

 

 

In our Case the RTR in the DC is connected via Transfernet to a opensense Firewall. On the Firewall are the other subnets connected. 

 

 

 

 

Has someone an idea how to solve the problem?

 

Regards

 

Andy

  0      
  0      
#1
Options
4 Reply
Re:How to configure IPSec LAN to LAN VPN for multiple subnets
2022-08-22 05:30:27

  @Andy_Sch Hi

 

10.10.40.0/24 is your opensense Firewall network? And "Omada" is the tplink router connected to the opensense Firewall?

 

If so, tplink router's VPN won't let you access 10.10.40.0/24. Tplink router can only create VPN tunnel between two tplink router's LAN networks. From what I understanding, 10.10.40.0/24 is on tplink router's WAN side

  0  
  0  
#2
Options
Re:How to configure IPSec LAN to LAN VPN for multiple subnets
2022-08-22 06:28:45

  @Somnus 

 

Hi thank you for your answer. 

 

No ! 10.10.40.0/24 and the other private Networks are on den LAN Side! 

 

The Router is parallel connected to the WAN IF of the Firewall in a /29 Public IP Network.

 

The LAN Port of the RTR  is connected via an internal Transfer Network to the firewall to connect to the Internal Networks. 

 

 

  0  
  0  
#3
Options
Re:How to configure IPSec LAN to LAN VPN for multiple subnets
2022-08-24 00:12:25

  @Andy_Sch 

 

It should be enough to divide and conquer.  Treat each Branch-DC VPN tunnel as it's own entity...so local subnets are those attached to LAN ports, and remote subnets are those that are reachable via the VPN tunnel connected to the WAN.  As is that would let each branch site talk to the DC, but not each other.  Now add Site B and C's addresses to the remote subnets for Site A's VPN tunnel and let the 7206 do the hairpin routing between tunnels at the DC for you.  Repeat for sites B (A+C) and C (A+B).

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:How to configure IPSec LAN to LAN VPN for multiple subnets
2022-08-26 07:14:25

 

After a long time of testing and experimenting, I have come to the conclusion that I will do without the central ER7206, as the limited functionality is too great. 

I have now chosen my setup so that the ER605s in the offices terminate on the central opensense firewall via IPSec ikev2. This way I can also map the pseudo star topology for the VPN. Currently I am still stuck on the point that with IP Sec on a TP Link router in a VPN policy a maximum of 5 remote subnets are possible. But through clever subnetting, I will also be able to circumvent this issue.

 

I also got an answer from support about my issue after 5 days: 

 

"If we understand correctly, you have multiple ER605s each creating a VPN with ER7206 and want the ER605s to be able to communicate with each other, in a pseudo star topology.

This is not possible with the Omada routers, in order to create a connection between each ER605 you need to create a VPN tunnel between each of them.

Thank you for your support and confidence in our product. "


  

I found the answer a little poor. When I asked about it, I have not yet received an answer.

 

I am also surprised that dynamic routing is missing on the routers. 

 

I was actually on the verge of throwing TP-Link out again. However, I am convinced of the controller and the simplicity for my colleagues. 
The only way now is to take the complexity out of the network again and build everything according to the motto Keep it Simple and hope that it doesn't become insecure.

 

I hope that I will get further with this path.

 

BR 

Andy

  0  
  0  
#5
Options

Information

Helpful: 0

Views: 891

Replies: 4

Tags

VPN
Related Articles