Reach Web Service through the IPSec VPN

Reach Web Service through the IPSec VPN

Reach Web Service through the IPSec VPN
Reach Web Service through the IPSec VPN
2024-05-25 09:21:45 - last edited 2024-05-28 05:54:19
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.4.1

Hello there,

 

I want to reach some specific IP address through the VPN, but cannot do it.

 

First, the configuration: I have ER7206 as my router and manage it with my OC-200 controller. My ISP modem works in bridge mode, so when I check the IP address of the WAN connection, I see directly my public IP address on my router.

 

I have an IPSec site-to-site VPN connection with a partner. I can reach some specific subnet directly through this VPN and call some web services on partner side. No problem in that. Here is the VPN Status page on Omada Controller (I blurred out sensitive info).

 

 

With this configuration, I can access to a service on, for example, 10.0.148.15 from my PC with local IP address of, for example, 172.17.93.8

 

Here is my problem: My partner tries to give me access to another third-party service (they have site-to-site VPN). I need to access that service through the same VPN connection. To do that, I defined a static routing through the Omada Controller like this:

 

 

My partner also did necessary configuration on his side.

 

However, when I define this route, I cannot access to the third-party service. Interestingly, when I run a traceroute on my PC to the destination third-party service IP, there is no difference between the result when I define the route and the result when I do not define the route. I mean, I run a traceroute to the destination IP and get a table of IP addresses as a result with ping values. After that, I define the static route and run a traceroute, I get exactly the same table. It seems that the route definition has no effect. I want the data goes through the site-to-site VPN we established with my partner.

 

What am I doing wrong? I will happly post more info and screenshots if necessary.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Reach Web Service through the IPSec VPN-Solution
2024-05-25 12:18:36 - last edited 2024-05-28 05:54:19

Hi  @beawolf 

Nope. That does not look right. You should follow this guide: Connecting Three VPN Routers of Different Geographic Locations Using IPSec VPN

Note that you have to configure the subnets on the IPsec instead of creating static routing which does not work for the VPN tunnel yet.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
4 Reply
Re:Reach Web Service through the IPSec VPN-Solution
2024-05-25 12:18:36 - last edited 2024-05-28 05:54:19

Hi  @beawolf 

Nope. That does not look right. You should follow this guide: Connecting Three VPN Routers of Different Geographic Locations Using IPSec VPN

Note that you have to configure the subnets on the IPsec instead of creating static routing which does not work for the VPN tunnel yet.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#2
Options
Re:Reach Web Service through the IPSec VPN
2024-05-27 12:09:29

  @Clive_A I examined the guide you mentioned thoroughly (this is why I reply a bit late), thank you. As I understand, I need to add that IP or IP block as the remote subnet in VPN tunnel definition.

 

This is the only way doing it with Omada (by using controller or standalone router), right? On devices with different brands (e.g. Palo Alto, Fortinet), the VPN tunnel can be selected from the Interface dropdown when defining a static route. However, on Omada, the Interface dropdown only lists the WAN/LAN interfaces. Am I correct?

  0  
  0  
#3
Options
Re:Reach Web Service through the IPSec VPN
2024-05-28 01:06:31

Hi @beawolf 

Thanks for posting in our business forum.

beawolf wrote

  @Clive_A I examined the guide you mentioned thoroughly (this is why I reply a bit late), thank you. As I understand, I need to add that IP or IP block as the remote subnet in VPN tunnel definition.

 

This is the only way doing it with Omada (by using controller or standalone router), right? On devices with different brands (e.g. Palo Alto, Fortinet), the VPN tunnel can be selected from the Interface dropdown when defining a static route. However, on Omada, the Interface dropdown only lists the WAN/LAN interfaces. Am I correct?

I don't have a comment on the other vendors. Sorry about that. I don't have the experience with them.

Adding the subnet would do it on ours. You don't have to create the static routing as it is not effective to the VPN tunnels. The Remote Subnet is what's important here. Not the interface. The interface is about the WAN.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Reach Web Service through the IPSec VPN
2024-05-28 05:54:09

  @Clive_A I had some confusion about this, but now it is clear. Thank you very much and take care. smiley

  2  
  2  
#5
Options