VPN tunnel up but doesn't route traffic.

VPN tunnel up but doesn't route traffic.

VPN tunnel up but doesn't route traffic.
VPN tunnel up but doesn't route traffic.
2024-10-28 15:21:59 - last edited 2024-11-21 02:51:25
Tags: #VPN
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version:

Hi,

I have define a IPSEC Point to Point between my ER605 and a Cisco ASA.

The tunnel shows up and on the other side they see this as well but no traffic is tunneled.

 

When I go to define a Policy Routing I cannot select Tunnel VPN . Also on Static Route.

Any idea where I can tell the ER 605 to use as route the VPN tunnel defined?

  0      
  0      
#1
Options
2 Accepted Solutions
Re:VPN tunnel up but doesn't route traffic. -Solution
2024-10-28 16:15:53 - last edited 2024-11-21 02:51:43

  @melospawn 

 

you can not do that on ER605 you local network is LAN 192.168.0.0./24 if you want to do xlate you have to do this on ASA 

The ER605 only understands the real LAN address.

 

Recommended Solution
  0  
  0  
#7
Options
Re:VPN tunnel up but doesn't route traffic. -Solution
2024-10-29 02:03:51 - last edited 2024-11-21 02:51:25

Hi @melospawn 

Thanks for posting in our business forum.

IMO, I don't think the IPsec is the type of VPN you need.

It is limited and if you configure it somehow like it, it'd be problematic.

[SOLVED] Impossible to access the internet from Android with an IPSec VPN tunnel

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options
7 Reply
Re:VPN tunnel up but doesn't route traffic.
2024-10-28 15:32:05 - last edited 2024-10-28 15:40:43

  @melospawn 

the tunnel routes what you have set as the remote subnet on the ER605, you should not create a router manually. I have many Cisco ASAs that have VPN against different TP-Link routers and it works very well.

 

 

 

you should look at nat rule on Cisco firewall, and check for Bypass Interface Access list for inbound VPN session is enabled or disabled if enabled you have to crate ACL roule

 

 

  0  
  0  
#2
Options
Re:VPN tunnel up but doesn't route traffic.
2024-10-28 15:45:27

  @MR.S 

HI,

 

Thanks a lot, thats also what I thought but when I go to routes on the ER605 (I am a cisco guy) I dont see the route as you would see on the cisco to the remote subnet defined on the E605 and using the VPN tunnel as Interface.

 

Also the LAN on the ER650 is the usual 192.168.0.0/24 and the company needs for us to use as Local network on the ER605 a static IP (/32) not on the same subnet as our LAN.

 

I was thinking to do NAT for this IP

 

Example:

 

ER605  side                                             Cisco Side

 

LAN 192.168.0.0./24                              Net 10.10.0.0/24

 

But for the VPN to be allowed the local network on the ER605 must be 10.11.10.133/32 (for example)

 

I tried to play with the NAT on the ER . Problem is I need to connect remotely to it (on another country).

 

Any idea how I can solve this issue? Tunnel is up (SA stablish)

 

Thanks

 

 

  0  
  0  
#3
Options
Re:VPN tunnel up but doesn't route traffic.
2024-10-28 15:55:12

  @melospawn 

 

If the tunnel is up, it is either NAT on the Cisco ASA or ACL on the Cisco ASA, it is difficult to give any advice as I do not have the whole picture. on the ER605 it's pretty easy, it's almost impossible to make a mistake. it is not necessary to do anything other than configure the VPN, there is no need for either routing ACL or NAT on the ER605 if you do not have an ACL that blocks anything..

NAT on the Cisco ASA should look like this.

 

  0  
  0  
#4
Options
Re:VPN tunnel up but doesn't route traffic.
2024-10-28 15:59:42

  @melospawn 

 

Omada configuration

 

  0  
  0  
#5
Options
Re:VPN tunnel up but doesn't route traffic.
2024-10-28 16:07:35

  @MR.S 

 

HI

yes this I have already and the VPN is working. 

 

 

 

But for the ASA to allow traffic it must have as Local Subnet a host IP, which is not the same network range as the LAN on the ER605 (192.168.0.0./24)

 

From the ER605 I cannot ping or trace anything on the 10.0.0.0/8 remorte subnet (on the ASA). This I dont control (is another company).

 

I assume the easier would be to do a Multi-Nets to NAT on the ER605 so I can do many to one NAT? Would this work for the VPN also?

https://static.tp-link.com/res/down/doc/Multi-nets_NAT_Config_Guide.pdf?configurationId=2987

 

Thanks

 

  0  
  0  
#6
Options
Re:VPN tunnel up but doesn't route traffic. -Solution
2024-10-28 16:15:53 - last edited 2024-11-21 02:51:43

  @melospawn 

 

you can not do that on ER605 you local network is LAN 192.168.0.0./24 if you want to do xlate you have to do this on ASA 

The ER605 only understands the real LAN address.

 

Recommended Solution
  0  
  0  
#7
Options
Re:VPN tunnel up but doesn't route traffic. -Solution
2024-10-29 02:03:51 - last edited 2024-11-21 02:51:25

Hi @melospawn 

Thanks for posting in our business forum.

IMO, I don't think the IPsec is the type of VPN you need.

It is limited and if you configure it somehow like it, it'd be problematic.

[SOLVED] Impossible to access the internet from Android with an IPSec VPN tunnel

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#8
Options