Business Community > Routers > Mesh Style VPN
< Routers

Mesh Style VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Mesh Style VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Mesh Style VPN
Mesh Style VPN
2023-10-26 04:59:43 - last edited 2023-11-09 01:18:43
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

Hi all,

 

My place of work is wanting to install an ER8411 router at the main site and have 3 other sites (Shed, Town 1, Town 2) VPN to the main site but also be able to mesh between each other in the event a link drops some where. I know a hub and spoke design is possible pretty easily.

 

Is it possible to do this mesh style VPN with ER605's at the other sites? I've not found anything in my research. I may be searching for the wrong information though.

 

Any help is appreciated.

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:Mesh Style VPN-Solution
2023-10-27 01:44:54 - last edited 2023-11-09 01:19:24

Hi @Reaper_1994 

Thanks for posting in our business forum.

That'll be IPsec site-to-site VPN. You gotta create multiple ones to map your whole network.

Doable. But we don't have instructions for this. You can refer to the site-to-site setup. It's the same but doing multiple times and creating the tunnels between the sites.

I'd recommend you do this with a map on your end. So you know which two sites have been connected.

 

Connecting Three VPN Routers of Different Geographic Locations Using IPSec VPN

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. Don't be a lazy asker. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Mesh Style VPN-Solution
2023-10-30 18:52:52 - last edited 2023-11-09 01:18:43

  @Reaper_1994 

 

You have to manually mesh the sites with IPSEC VPNs, so for 4 sites, you have 6 tunnels (think of a square plus two diagonals):

 

SiteA--SiteB (VPN tunnel1)

SiteA--SiteC (VPN tunnel2)

SiteA--SiteD (VPN tunnel3)

SiteB--SiteC (VPN tunnel4)

SiteB--SiteD (VPN tunnel5)

SiteC--SiteD (VPN tunnel6)

 

You also have to add some routing, either dynamic via protocol, or static via fixed weights on each route.  Let's look at SiteA trying to reach SiteC

 

Site C:

SiteA-SiteC is already taken care of directly when the tunnel is up. 

You would like prefer one path over another, so let's say A-B is a better link than A-D, so now

Route SiteC via SiteB weight 10

Route SiteC via SiteD weight 20

 

You need to repeat this pair of routes for each possible destination site from SiteA:

Site B:

Route SiteB (tunnel takes care of)

Route SiteB via SiteC weight 10 (preferred).  A-C-B

Route SiteB via SiteD weight 20 (backup). A-D-B

 

and again for Site D:

 

That way if say the A-C link is broken, you can go ABC (preferred) or ADC (backup)

 

AFAIK, there is no auto-magic version of this in Omada today.

<< Paying it forward, one juicy problem at a time... >>
Recommended Solution
  1  
  1  
#4
Options
5 Reply
Re:Mesh Style VPN-Solution
2023-10-27 01:44:54 - last edited 2023-11-09 01:19:24

Hi @Reaper_1994 

Thanks for posting in our business forum.

That'll be IPsec site-to-site VPN. You gotta create multiple ones to map your whole network.

Doable. But we don't have instructions for this. You can refer to the site-to-site setup. It's the same but doing multiple times and creating the tunnels between the sites.

I'd recommend you do this with a map on your end. So you know which two sites have been connected.

 

Connecting Three VPN Routers of Different Geographic Locations Using IPSec VPN

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. Don't be a lazy asker. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Mesh Style VPN
2023-10-27 13:20:26

  @Clive_A Thank you Clive!

 

by just doing the site to site VPN's, say the link between site A and Site B was to go down, would traffic be able to route from Site A through Site C to get to Site B?

  0  
  0  
#3
Options
Re:Mesh Style VPN-Solution
2023-10-30 18:52:52 - last edited 2023-11-09 01:18:43

  @Reaper_1994 

 

You have to manually mesh the sites with IPSEC VPNs, so for 4 sites, you have 6 tunnels (think of a square plus two diagonals):

 

SiteA--SiteB (VPN tunnel1)

SiteA--SiteC (VPN tunnel2)

SiteA--SiteD (VPN tunnel3)

SiteB--SiteC (VPN tunnel4)

SiteB--SiteD (VPN tunnel5)

SiteC--SiteD (VPN tunnel6)

 

You also have to add some routing, either dynamic via protocol, or static via fixed weights on each route.  Let's look at SiteA trying to reach SiteC

 

Site C:

SiteA-SiteC is already taken care of directly when the tunnel is up. 

You would like prefer one path over another, so let's say A-B is a better link than A-D, so now

Route SiteC via SiteB weight 10

Route SiteC via SiteD weight 20

 

You need to repeat this pair of routes for each possible destination site from SiteA:

Site B:

Route SiteB (tunnel takes care of)

Route SiteB via SiteC weight 10 (preferred).  A-C-B

Route SiteB via SiteD weight 20 (backup). A-D-B

 

and again for Site D:

 

That way if say the A-C link is broken, you can go ABC (preferred) or ADC (backup)

 

AFAIK, there is no auto-magic version of this in Omada today.

<< Paying it forward, one juicy problem at a time... >>
Recommended Solution
  1  
  1  
#4
Options
Re:Mesh Style VPN
2023-10-31 14:09:48

  @Reaper_1994 

 

say the link between site A and Site B was to go down, would traffic be able to route from Site A through Site C to get to Site B?

 

but in reality, once the VPN is configured, what can cause the link from A to B to go down ? Only an internet failure , in which case the link from A to C is down as well!

  0  
  0  
#5
Options
Re:Mesh Style VPN
2023-11-03 12:44:44 - last edited 2023-11-03 12:46:57

  @MisterW 
but in reality, once the VPN is configured, what can cause the link from A to B to go down ? Only an internet failure , in which case the link from A to C is down as well!

 

There isn't many or any reason a site to site VPN should drop however it is something that I would like to ensure there is a failover/backup option available in the event it ever did to ensure there is little to no down time.

 

I just read you're other reply too. Thank you!

 

So setting up static routes in the other sites is recommended to ensure there is a backup route. That's great to know as I was unsure what would have been required.

  0  
  0  
#6
Options

Information

Helpful: 0

Views: 464

Replies: 5

Related Articles
Can I set up multi-location VPN with failover WAN at both sites - with a mesh network twist
436 0
Mutlisite Mesh Ring via IPSEC - OSPF setup
393 0
Wireguard Mesh / ICMP not working between LANs... unless TRACERT command
357 0
Internet Cafe style token/Wifi Access
1105 0
ER605 LT2P VPN is not routing through VPN
1220 0
VPN Questions
1838 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.