ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN

ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN

ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-13 06:20:06 - last edited 2024-09-14 02:20:44
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.2.0 Build 20231214 Rel.77035

We've got a site to site VPN setup for a remote office that has multiple subnets.

 

Site 1 (Main site) - TP-Link Omada ER8411

192.168.20.X

 

Site 2 (Remote site) - Draytek Vigor 3900 (To be replaced at the end of the year hopefully)

192.168.40.X - Working

192.168.55.X - Not working

192.168.112.X - Not working

192.168.121.X - Not working

 

When trying to route to 192.168.40.X from 192.168.20.X, no issues.

When trying to route to 192.168.55.X from 192.168.20.X, the ER8411 routes via WAN instead of the VPN.

Adding a static route does not fix it.

I'm not able to find a reason the router is not directing the traffic correctly.

 

Trace route shows it going via the router then out to the ISP router on a completely different subnet to our public IP.

 

These all worked prior to changing to the ER8411 from a Vigor 3900. The VPN policy at the other end was not changed beyond the proposal settings so I consider the other end "untouched".

 

VPN Policy settings

 

Is there something I'm missing or is this a bug?

  1      
  1      
#1
Options
14 Reply
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-13 06:50:27 - last edited 2024-09-13 06:53:12

Hi @TCWGEngineers 

Thanks for posting in our business forum.

The system does not support static routing for the VPN subnets. Not applicable to the tunnel.

Your remote site should contain all the listed Remote Subnets in the ER8411 in the "local subnet" area of the third-party VPN. That's a site-to-site connection.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-16 00:40:36

  @Clive_A 

 

Hi Clive,

 

Thank you for your reply. I'm not sure I understand this correctly as it doesn't make sense as to why I cannot route over the site to site VPN. With the previous Draytek to Draytek, it worked.

I might have explained it wrong or showed the wrong details so please correct me or ask more questions if it's not clear.

 

The fact that I cannot get to the 55.X subnet and the others but the main 40.x subnet works says that the site to site is up however there is no route to the other subnets.

What is the point of having the additional remote subnets section if we cannot route to them?

 

Clive_A wrote

Your remote site should contain all the listed Remote Subnets in the ER8411 in the "local subnet" area of the third-party VPN. That's a site-to-site connection.

Are you saying I need to setup the 192.168.55.x subnet as a VLAN on the ER8411, add it to the local subnet area and then I should be able to access that subnet from the ER8411 to the Draytek end or am I reading your response incorrectly?

  1  
  1  
#3
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-18 01:44:06

Hi @TCWGEngineers 

Thanks for posting in our business forum.

TCWGEngineers wrote

  @Clive_A 

 

Hi Clive,

 

Thank you for your reply. I'm not sure I understand this correctly as it doesn't make sense as to why I cannot route over the site to site VPN. With the previous Draytek to Draytek, it worked.

I might have explained it wrong or showed the wrong details so please correct me or ask more questions if it's not clear.

 

The fact that I cannot get to the 55.X subnet and the others but the main 40.x subnet works says that the site to site is up however there is no route to the other subnets.

What is the point of having the additional remote subnets section if we cannot route to them?

 

Clive_A wrote

Your remote site should contain all the listed Remote Subnets in the ER8411 in the "local subnet" area of the third-party VPN. That's a site-to-site connection.

Are you saying I need to setup the 192.168.55.x subnet as a VLAN on the ER8411, add it to the local subnet area and then I should be able to access that subnet from the ER8411 to the Draytek end or am I reading your response incorrectly?

Any routing you set do not apply to the VPN tunnels.

These are mainly about the NAT. Static routing is not entirely about the NAT but it does not apply to the VPN tunnel.

What subnets you would like to route can only be configured in the IPsec settings where you see "Local Subnets" and "Remote Subnets". Rest of the settings you've done somewhere else would not take efffect. That's what I mean.

 

You might wanna draw a diagram for me to understand your situation now.

If it is IPsec, it should work correctly as you configured. Not sure about your third-party, but AFAIK, IPsec S2S can and should work as what's been configured.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-18 04:07:23
Hi, We have a similar setup based on the screenshot. What IKE protocol version are you using? I'm using IKEv2 for my setup. By the way, instead of 'bundling' all networks into a single VPN policy. Try to set up one policy/network. It works with my scenario.
Alex Kota Kinabalu, Sabah Malaysia
  0  
  0  
#5
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-18 04:15:36 - last edited 2024-09-18 04:16:02

  @TCWGEngineers 

 

Here are my VPN setup.

 

Remote Office

 

 

 

Headquarter

 

 

I hope it will helps you.

 

 

 

Alex Kota Kinabalu, Sabah Malaysia
  0  
  0  
#6
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-18 04:23:47
Hi, Your firmware version is quite old. Upgrade yours to the latest version. Thanks
Alex Kota Kinabalu, Sabah Malaysia
  0  
  0  
#7
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-30 07:43:29

  @bambinotenchie Hi Bamibino,

 

I've tried updating to 1.2.1 and had too many issues with it. The router drops out, re-adopts and reboots in the middle of the work day after changing settings in a VPN connection causing multiple users (staff and customers who remote in) to complain. I don't have a way to safely replicate the fault and respond to the fault ticket without buying a second ER8411 so we've stuck to 1.2.0 where it doesn't have the issue.

 

Regarding the multiple VPN's, we would have to set up so many VPN connections if we were to do it that way. We've got roughly 12 VLAN's to interact with at the other end where the Draytek is.

 

@Clive_A  Here is a diagram of the setup

 

 

Our workstations sit on the internal LAN as there are multiple customer VLAN's on the same router (Inter-VLAN routing is another issue for another day). We're trying to get to a QNAP NAS on 192.168.1XX.XX that is located on the Draytek end. I have tried VM's on the External LAN and our workstations to no avail.

 

Unfortunately, as shown, the "remote networks" section in the IPSec VPN on the ER8411 does not work in this configuration.

Is there a better way to do this or should we just get another ER8411 asap at the far end?

  1  
  1  
#8
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-30 08:03:56 - last edited 2024-09-30 08:06:27

The current version is 1.2.2. Maybe you could try the new version? . Do you have a similar spare router to try?

Alex Kota Kinabalu, Sabah Malaysia
  0  
  0  
#9
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-30 08:05:09
By the way, in my case. Both sides use TP-Link. I'm not sure whether it is working under a different product.
Alex Kota Kinabalu, Sabah Malaysia
  0  
  0  
#10
Options
Re:ER8411 (and possibly others) cannot route to additional remote subnets over L2TP VPN
2024-09-30 23:41:42

  @bambinotenchie 

 

Unfortunately, I do not have a spare router to test it with. I have scheduled the upgrade to 1.2.1 and then a second upgrade to happen tonight at 1am and 2am.

 

Hopefully there are no issues tomorrow.

  0  
  0  
#11
Options