ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
We've got a site to site VPN setup for a remote office that has multiple subnets.
Site 1 (Main site) - TP-Link Omada ER8411
192.168.20.X
Site 2 (Remote site) - Draytek Vigor 3900 (To be replaced at the end of the year hopefully)
192.168.40.X - Working
192.168.55.X - Not working
192.168.112.X - Not working
192.168.121.X - Not working
When trying to route to 192.168.40.X from 192.168.20.X, no issues.
When trying to route to 192.168.55.X from 192.168.20.X, the ER8411 routes via WAN instead of the VPN.
Adding a static route does not fix it.
I'm not able to find a reason the router is not directing the traffic correctly.
Trace route shows it going via the router then out to the ISP router on a completely different subnet to our public IP.
These all worked prior to changing to the ER8411 from a Vigor 3900. The VPN policy at the other end was not changed beyond the proposal settings so I consider the other end "untouched".
VPN Policy settings
Is there something I'm missing or is this a bug?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
The system does not support static routing for the VPN subnets. Not applicable to the tunnel.
Your remote site should contain all the listed Remote Subnets in the ER8411 in the "local subnet" area of the third-party VPN. That's a site-to-site connection.
- Copy Link
- Report Inappropriate Content
Hi Clive,
Thank you for your reply. I'm not sure I understand this correctly as it doesn't make sense as to why I cannot route over the site to site VPN. With the previous Draytek to Draytek, it worked.
I might have explained it wrong or showed the wrong details so please correct me or ask more questions if it's not clear.
The fact that I cannot get to the 55.X subnet and the others but the main 40.x subnet works says that the site to site is up however there is no route to the other subnets.
What is the point of having the additional remote subnets section if we cannot route to them?
Clive_A wrote
Your remote site should contain all the listed Remote Subnets in the ER8411 in the "local subnet" area of the third-party VPN. That's a site-to-site connection.
Are you saying I need to setup the 192.168.55.x subnet as a VLAN on the ER8411, add it to the local subnet area and then I should be able to access that subnet from the ER8411 to the Draytek end or am I reading your response incorrectly?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
TCWGEngineers wrote
Hi Clive,
Thank you for your reply. I'm not sure I understand this correctly as it doesn't make sense as to why I cannot route over the site to site VPN. With the previous Draytek to Draytek, it worked.
I might have explained it wrong or showed the wrong details so please correct me or ask more questions if it's not clear.
The fact that I cannot get to the 55.X subnet and the others but the main 40.x subnet works says that the site to site is up however there is no route to the other subnets.
What is the point of having the additional remote subnets section if we cannot route to them?
Clive_A wrote
Your remote site should contain all the listed Remote Subnets in the ER8411 in the "local subnet" area of the third-party VPN. That's a site-to-site connection.
Are you saying I need to setup the 192.168.55.x subnet as a VLAN on the ER8411, add it to the local subnet area and then I should be able to access that subnet from the ER8411 to the Draytek end or am I reading your response incorrectly?
Any routing you set do not apply to the VPN tunnels.
These are mainly about the NAT. Static routing is not entirely about the NAT but it does not apply to the VPN tunnel.
What subnets you would like to route can only be configured in the IPsec settings where you see "Local Subnets" and "Remote Subnets". Rest of the settings you've done somewhere else would not take efffect. That's what I mean.
You might wanna draw a diagram for me to understand your situation now.
If it is IPsec, it should work correctly as you configured. Not sure about your third-party, but AFAIK, IPsec S2S can and should work as what's been configured.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@bambinotenchie Hi Bamibino,
I've tried updating to 1.2.1 and had too many issues with it. The router drops out, re-adopts and reboots in the middle of the work day after changing settings in a VPN connection causing multiple users (staff and customers who remote in) to complain. I don't have a way to safely replicate the fault and respond to the fault ticket without buying a second ER8411 so we've stuck to 1.2.0 where it doesn't have the issue.
Regarding the multiple VPN's, we would have to set up so many VPN connections if we were to do it that way. We've got roughly 12 VLAN's to interact with at the other end where the Draytek is.
@Clive_A Here is a diagram of the setup
Our workstations sit on the internal LAN as there are multiple customer VLAN's on the same router (Inter-VLAN routing is another issue for another day). We're trying to get to a QNAP NAS on 192.168.1XX.XX that is located on the Draytek end. I have tried VM's on the External LAN and our workstations to no avail.
Unfortunately, as shown, the "remote networks" section in the IPSec VPN on the ER8411 does not work in this configuration.
Is there a better way to do this or should we just get another ER8411 asap at the far end?
- Copy Link
- Report Inappropriate Content
The current version is 1.2.2. Maybe you could try the new version? . Do you have a similar spare router to try?
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Unfortunately, I do not have a spare router to test it with. I have scheduled the upgrade to 1.2.1 and then a second upgrade to happen tonight at 1am and 2am.
Hopefully there are no issues tomorrow.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 540
Replies: 14
Voters 0
No one has voted for it yet.