L2TP LAN-LAN VPN in "Route" Working Mode
I'm setting up a LAN-LAN L2TP/IPSec VPN between two ER605s.
On the client device, there's a field named "Working Mode", with options "NAT" and "Route". In the documentation, I can find very little information about this; all the user guide says is:
Working Mode
Specify the Working Mode as NAT or Routing.
NAT: NAT (Network Address Translation) mode allows the router to translate source IP address of L2TP packets to its WAN IP when forwarding L2TP packets.
Route: Route mode allows the router to forward L2TP packets via routing protocol.
I'm trying to understand the difference between the two and when each is more appropriate. I have my VPN working in NAT mode, but if I switch to Route mode I lose connectivity; I assume I have to add some sort of static or policy route to do this?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
what is your ip address pool? on this pool I never use same ip as my other interface, for the most i use a random ip10.12.33.0/24 for example or somthing in 10,x,x,x range
- Copy Link
- Report Inappropriate Content
as I mentioned in my previous post, with routing mode activated you have to set network extention mode on vpn user name, then define remote network on vpn user, this way you get site to site with L2TP/Ipsec
- Copy Link
- Report Inappropriate Content
@MR.S When I set it up this way, I can access most devices on the server-side LAN, but not the server-side router (192.168.0.1).
This is my L2TP server config:
This is the L2TP user account config (on the server):
And this is the client-side config:
From a device on the client-side LAN (e.g. from 192.168.10.101), I can do a `ping 192.168.0.10` (a server I have on the server-side LAN), but a `ping 192.168.0.1` (the server-side ER605) fails with a timeout (and I can't access the 192.168.0.1 admin console either).
- Copy Link
- Report Inappropriate Content
it looks correct but i am using controller so slightly different configuration. I did a test on the same thing here now between an ER841 and an ER605v2 and it worked right away. config is quite similar to yours. I had problems with some old ipsec site to site tunnels that went to ER8411 I had to delete them, have you deleted the old IPsec tunnels? it does not work to deactivate them, they must be deleted
- Copy Link
- Report Inappropriate Content
it is also not certain that you can reach the admin interface if you have not enabled admin from remote lan, I mean to remember that there was a choice for that in stand alone,
- Copy Link
- Report Inappropriate Content
if you want to route all or some devices out to the remote wan, you create a policy route, choose l2tp
in this example I route everything from the default lan out to the remote router.
it's a bit different on a stand alone, but you'll probably figure that out :-)
- Copy Link
- Report Inappropriate Content
@MR.S I removed the old IPSec VPN policy and enabled remote management on the target router. I still can't connect to it though.
When the L2TP client is configured for "NAT", it works fine (can access everything on the server LAN, including the server router), but when it's configured for "Route" I can access everything on the server LAN except for the server router.
I checked the route table on the client router and there's a route for the server router (192.168.0.1) using the L2TP VPN interface, so that seems correct.
- Copy Link
- Report Inappropriate Content
what is your ip address pool? on this pool I never use same ip as my other interface, for the most i use a random ip10.12.33.0/24 for example or somthing in 10,x,x,x range
- Copy Link
- Report Inappropriate Content
@MR.S Ah yep, that was it. I changed it to something outside of the LAN subnet and it works now.
The help docs are erroneous then. When you click the question mark, the content for that field says:
Local IP Address
Specify the local virtual IP address for the VPN server. Please avoid using the IP address in the DHCP range, which may cause IP confliction, you can enter the LAN IP of the router. To find out the DHCP Range, go to Network > LAN > Network List and view the information of the desired network.
It explicitly says "you can enter the LAN IP of the router" (which is what I did), but that's what apparently caused a route conflict.
- Copy Link
- Report Inappropriate Content
good, then you have what you need for your initial question, now you can activate policy route and route all traffic out on the remote WAN..
there will be policy route to both OpenVPN and Wireguard soon with fqdn, I don't know when but I think it's just around the corner. there will also be SD-WAN and much, much more in the near future, so there will be many new opportunities with Omada, so I'm looking forward to it..
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 253
Replies: 9
Voters 0
No one has voted for it yet.