Routing inconsistent with s2s tunnel

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Routing inconsistent with s2s tunnel

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Routing inconsistent with s2s tunnel
Routing inconsistent with s2s tunnel
2023-11-13 10:03:58 - last edited 2023-11-14 15:46:05
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: ER605 v1.0 1.3.0

I am facing a problem for which I have not been able to identify the root cause. I have an IKeV1 site to site tunnel between ER605 and EdgerouterX. The tunnel is up and working but some of my clients are not able to access its subnet.

 

As a test I tried to do a tracert (windows) and traceroute (linux) from multiple clients on the ER605 router side trying to find the route of the edgerouter.

Some clients show 2 hops: Hop1 is the er605 gateway and Hop2 is the edgerouter

Other clients never complete the traceroute with hop1 being the  er605 gateway and hop 2 going out to the internet

 

I looked at the routing table in the insight pane of omada and ther is nothing out of the ordinary. I even tried to create a static route with next hop being the ip of EdgerouterX but that did not help.

 

Can anyone point in a direction to identify the issue with this weird behaviour?

 

Thank you

  0      
  0      
#1
Options
1 Accepted Solution
Re:Routing inconsistent with s2s tunnel-Solution
2023-11-14 15:46:00 - last edited 2023-11-14 15:46:05

Thank you for all your comments! I was not expecting multiple people and someone from tp to answer so fast. After reading all the comments I made a list and went through them one by one. I then started typing a response and taking screenshots with the hope of getting some additional help from all of you. As i did I noticed someting wrong in the tunnel configuration on the edgerouter side. My LAN on the er605 is 192.168.200.0/21 but on the edgerouter i had entered 192.168.200.0/23 and it finally clicked. The edgerouter sends the lan ip to the er605 which get configured on the tunnel and is also dispalyed under vpn status. All my clients with ips above 192.168.201.255 where not able to traverse the tunnel.

 

Thank you again for the support. I feel dumb having spent a few days trying to fix it. I even setup a cloudflare tunnel because i was convinced it was a bug in the er605.

Recommended Solution
  2  
  2  
#5
Options
5 Reply
Re:Routing inconsistent with s2s tunnel
2023-11-13 11:35:34

  @S3rg3 The issue you're experiencing with the IKEv1 site-to-site tunnel between the ER605 and EdgerouterX, where some clients are unable to access the subnet, seems to be related to routing inconsistencies. Since some clients can trace the route correctly through both hops (ER605 and Edgerouter), while others are diverted to the internet after the first hop, it suggests there might be a problem with how certain clients' traffic is being routed. This could be due to various factors such as IP routing conflicts, subnet mask mismatches, or access control lists (ACLs) settings on the ER605. Checking these settings and ensuring that all clients are configured correctly to follow the intended path through the tunnel could help resolve the issue. Additionally, verifying that the static route you created is correctly configured and active, and that there are no conflicting routes in the routing table, might also assist in troubleshooting this problem.

  1  
  1  
#2
Options
Re:Routing inconsistent with s2s tunnel
2023-11-13 18:07:08 - last edited 2023-11-13 18:14:59

  @S3rg3 

 

 

I don't know how the edge router is configured, but I assume it's something similar as unifi usg. there are two choices one is router based and policy based vpn,

A third-party router is recommended for policy-based routing, then you must create a routing to the remote network and select the VPN interface.

but as I said, I don't know if it's quite the same on the edge router.

 

on uxg-pro and udm-pro I use router based vpn to ER8411 and it work, but i have not tested older routers like usg to tp-link. 

 

if you can show us a screenshot of the vpn configuration of the edge router.

 

The tp-link routers are actually quite good at site to site Ipscec vpn so I don't think the fault lies there,  but if you have a screen of tp-link to

 

 

 

  1  
  1  
#3
Options
Re:Routing inconsistent with s2s tunnel
2023-11-14 02:03:36

Hi @S3rg3 

Thanks for posting in our business forum.

Like MR.S said. I am very suspicious about your description when you wrote.

S3rg3 wrote

As a test I tried to do a tracert (windows) and traceroute (linux) from multiple clients on the ER605 router side trying to find the route of the edgerouter.

Some clients show 2 hops: Hop1 is the er605 gateway and Hop2 is the edgerouter

Other clients never complete the traceroute with hop1 being the  er605 gateway and hop 2 going out to the internet

 

So, have you verified your settings are correct? Is there a misconfiguration in your site-to-site setting?

I don't believe that the VPN would incorrectly route it in that way.

If your IP is a private IP address, it'll follow the IPsec routing table strictly. It should not route to the Internet on the 2nd hop.

Would love to see your verification steps with screenshots, problem explanation with screenshots, and network diagram and config. Will follow it up. No worries.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Routing inconsistent with s2s tunnel-Solution
2023-11-14 15:46:00 - last edited 2023-11-14 15:46:05

Thank you for all your comments! I was not expecting multiple people and someone from tp to answer so fast. After reading all the comments I made a list and went through them one by one. I then started typing a response and taking screenshots with the hope of getting some additional help from all of you. As i did I noticed someting wrong in the tunnel configuration on the edgerouter side. My LAN on the er605 is 192.168.200.0/21 but on the edgerouter i had entered 192.168.200.0/23 and it finally clicked. The edgerouter sends the lan ip to the er605 which get configured on the tunnel and is also dispalyed under vpn status. All my clients with ips above 192.168.201.255 where not able to traverse the tunnel.

 

Thank you again for the support. I feel dumb having spent a few days trying to fix it. I even setup a cloudflare tunnel because i was convinced it was a bug in the er605.

Recommended Solution
  2  
  2  
#5
Options
Re:Routing inconsistent with s2s tunnel
2023-11-15 01:07:20

Hi @S3rg3

S3rg3 wrote

Thank you for all your comments! I was not expecting multiple people and someone from tp to answer so fast. After reading all the comments I made a list and went through them one by one. I then started typing a response and taking screenshots with the hope of getting some additional help from all of you. As i did I noticed someting wrong in the tunnel configuration on the edgerouter side. My LAN on the er605 is 192.168.200.0/21 but on the edgerouter i had entered 192.168.200.0/23 and it finally clicked. The edgerouter sends the lan ip to the er605 which get configured on the tunnel and is also dispalyed under vpn status. All my clients with ips above 192.168.201.255 where not able to traverse the tunnel.

 

Thank you again for the support. I feel dumb having spent a few days trying to fix it. I even setup a cloudflare tunnel because i was convinced it was a bug in the er605.

This happens to anyone. Even skilled people can also make mistakes. I was once in your shoes. No worries. I felt dumb too when I found out it was my mistakes or typos in the config that messed things up. 

Glad it's been resolved. yes

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options