Connecting Three VPN Routers of Different Geographic Locations Using IPSec VPN


The purpose of this story is to illustrate the VPN connectivity between three geographical locations using the IPSec VPN feature of the ER605 router. While establishing IPSec directly between the two branches would have been a simpler option, I encountered an unfortunate challenge due to the malfunctioning port forwarding of the ISP routers. In the following sections, I will present an alternative approach that effectively addressed this issue and successfully achieved my objective.


Network Layout & Hardware:


(Your hardware may differ from that used in the picture)


The hardware used to prepare this guide is as follows:
1. ER7206 V1_1.3.0 Build 20230322
2. OC200 with Controller V5.9.32



1. The headquarters' ER7206 has a public WAN IP.
2. Thanks to the presence of a public WAN, the ER7206 at the headquarter can act as an initiator and successfully establish an IPSec tunnel with the routers in the two branches, irrespective of the ISP routers located at the front-end of both branches.



The following modification is based on the existing IPSec settings of the headquarters and two branch offices, with existing tunnels between headquarter and each branches.


For Headquarter (Site A):

          Adding Branch #2's subnet into "Local Networks"



          Adding Branch #1's subnet into "Local Networks"


For Branch #1 (Site B):

          Adding Branch #2's subnet into "Remote Subnets"


For Branch #2 (Site C):

          Adding Branch #1's subnet into "Remote Subnets"


Please keep in mind that once the tunnels are established, routers will transmit packets that match the IPSec settings.

Let's dive into a scenario where branch #1 wants to get in touch with branch #2. So, picture this: The routers see a request coming from, let's say, and aiming for Now, the remote network is, and the local network is The packet flow matches the IPSec rule on router #1 (that belongs to branch #1), and it successfully reaches the headquarters. Now, the HQ router checks out the source and destination data, and it also finds a match with its IPSec rule #2, which lets the data reach its intended destination subnet and that specific device.



This configuration necessitates the use of the "Custom IP" option for IPSec, which enables the inclusion of subnets that are not physically present in the router's LAN settings.



Thanks for making this post, this is exactly what I want to do but I have a few questions


If all three sites have a stock system that's for example on the same 172.100.64.x range, will that cause conflicts on the VPN? Or is it a matter of whatever is on the lower level can be setup in any way as long as it points to the correct IP on the other side?