WireGuard VPN to Remote IPSEC network.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

WireGuard VPN to Remote IPSEC network.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
WireGuard VPN to Remote IPSEC network.
WireGuard VPN to Remote IPSEC network.
2023-12-12 14:46:12 - last edited 2023-12-15 09:52:08
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20230210 Rel.62992

I have ER605 routers in two company locations.

Location A) Subnet 192.168.0.x

Location B) Subnet 192.168.1.x

 

I have set up an IPsec LAN-to-LAN tunnel from Location A to Location B. I connect to Location A from various computers using WireGuard.

 

I would like to access both subnets through WireGuard clients. I can reach all addresses from the local subnet, but only 192.168.0.x through WireGuard.

 

Is it possible to reach a remote ipsec location via WireGuard?

  0      
  0      
#1
Options
1 Accepted Solution
Re:WireGuard VPN to Remote IPSEC network.-Solution
2023-12-15 09:27:58 - last edited 2023-12-19 08:43:38

Hi @mgru 

Thanks for posting in our business forum.

mgru wrote

  @Clive_A 

The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.

 

So I read again, it is all messed up.

You said in the OP

Where does this 192.168.3.0/24 come from? It was from your other reply.

 

 

mgru wrote

  @Clive_A 

The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.

 

I want to implement a simple scenario on TP-Link devices:

Router A (ER-605 192.168.1.0/24)

  1. Permanent IPsec LAN-to-LAN connection to another location to Router B (ER605 192.168.3.0/24).
  2. VPN access via WireGuard through Router A => I want to have access to the local subnets of Router A and Router B.

 

Is this possible?

 

In my opinion, the issue lies with Router B it seems that it is not correctly routing the packets back to Router A.

 

 

 

Yes. Possible. I read your post 30 minutes ago and I sent 30 minutes to set up the topology and test and screenshot the results.

It is a config issue with your setup.

 

You missed the IPsec entry. There are four counts of the entry.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#9
Options
12 Reply
Re:WireGuard VPN to Remote IPSEC network.
2023-12-13 02:50:02

Hi @mgru 

Thanks for posting in our business forum.

Modify the Allowed-IPs. Understand why it is important. It is basically the core of the WG VPN.

Configuration Guide How to Configure WireGuard VPN on Omada Controller

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-13 06:46:25

  @mgru 

I have configured the allowed IP on the client as 192.168.0.0/16. I also changed it to all addresses 0.0.0.0/0 - The result is the same: there is no access from the WireGuard client to the IPsec VPN tunnel established with location B. Access to 192.168.0.x is working.

 

I think it's not an issue with allowed IP.

 

  0  
  0  
#3
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-13 07:14:09 - last edited 2023-12-13 07:15:44

 

@mgru The identical scenario in a different location also doesn't work. The addressing is slightly different than in the first post.

  0  
  0  
#4
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-13 08:54:44

Hi @mgru 

Thanks for posting in our business forum.

Can you set it to two subnets? 192.168.0.0/24 and 192.168.3.0/24

 

192.168.0.0/16 is not technically correct. I am not sure if this affects it or not. But it is not right.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-13 20:12:07 - last edited 2023-12-13 23:23:27

  @Clive_A 

 

Hello, thanks for answer.

 

1) 

If set 192.168.1.0/24, then i can  connect to network 192.168.1.x, but not 192.168.3.x.
If set 192.168.3.0/24, then i can't connect to both. 

 

 

I found similar cases described on Reddit with both (WireGuard and Ipsec) on ER605, and other individuals had the same issue. No responses to the posts.

 

 

2) by the way, I don't see any tunnels in the network interfaces. Not in the routing tables either. Is it possible to additionally direct some traffic through the tunnel by adding static routing?

 

I found that people asked a similar question in 2019/2020 for Archer C6 and they also did not get an answer (https://community.tp-link.com/en/home/forum/topic/173622). Maybe omada works in a similar way?

 

3) ping/traceroute from "system tools / diagnostics" does not work properly for tunneled traffic. I ping addresses that are definitely working and I can communicate with them - and there is no ICMP response in the tools.

 

  0  
  0  
#6
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-15 01:37:17

Hi @mgru 

Thanks for posting in our business forum.

mgru wrote

  @Clive_A 

 

Hello, thanks for answer.

 

1) 

If set 192.168.1.0/24, then i can  connect to network 192.168.1.x, but not 192.168.3.x.
If set 192.168.3.0/24, then i can't connect to both. 

 

 

I found similar cases described on Reddit with both (WireGuard and Ipsec) on ER605, and other individuals had the same issue. No responses to the posts.

 

 

Of course, you cannot access it when you put 192.168.1.0/24. Nah. This is not a bug.

Google how subnet works and subnet calculator It is really the basic knowledge when you tweak the subnets.

I pointed out that you were setting the wrong subnets because the C class subnet did not work that way.

 

And based on what you said here if 192.168.1.0/24 works for anything in 192.168.1.0/24, then it is correct and WG is working.

 

But if you say that you set this 192.168.3.0/24? And you are certain you did not make a mistake in your sentence. I gotta ask a big WHY. (I read again what you original post and I don't see the point in putting 192.168.3.1/24 in allowed-ips.

Read the WG configuration guide on the forum. We are not on the same page in these concepts: what WG Allowed-IPs mean and how subnet works.

Please take some time to digest.

 

mgru wrote

  @Clive_A

 

2) by the way, I don't see any tunnels in the network interfaces. Not in the routing tables either. Is it possible to additionally direct some traffic through the tunnel by adding static routing?

 

I found that people asked a similar question in 2019/2020 for Archer C6 and they also did not get an answer (https://community.tp-link.com/en/home/forum/topic/173622). Maybe omada works in a similar way?

 

Network Interface? What do you mean by this specifically? Is this a term in our device? Or you refer to the Routing Table?

 

VPN routings are not listed in the Routing Table. Not just applied to the WG VPN. This was explained once before when I answered someone else on the forum. Unlike WindowsOS where you see all the existing routing entries.

 

No.

 

mgru wrote

  @Clive_A 

 

 

3) ping/traceroute from "system tools / diagnostics" does not work properly for tunneled traffic. I ping addresses that are definitely working and I can communicate with them - and there is no ICMP response in the tools.

 

If you don't pick the right interface or if it does not list the VPN tunnel, it does not make sense to use it. I recall that the VPN tunnel is not listed/supported.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-15 08:24:11 - last edited 2023-12-15 08:28:14

  @Clive_A 

The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.

 

I want to implement a simple scenario on TP-Link devices:

Router A (ER-605 192.168.1.0/24)

  1. Permanent IPsec LAN-to-LAN connection to another location to Router B (ER605 192.168.3.0/24).
  2. VPN access via WireGuard through Router A => I want to have access to the local subnets of Router A and Router B.

 

Is this possible?

 

In my opinion, the issue lies with Router B it seems that it is not correctly routing the packets back to Router A.

 

 

 

  0  
  0  
#8
Options
Re:WireGuard VPN to Remote IPSEC network.-Solution
2023-12-15 09:27:58 - last edited 2023-12-19 08:43:38

Hi @mgru 

Thanks for posting in our business forum.

mgru wrote

  @Clive_A 

The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.

 

So I read again, it is all messed up.

You said in the OP

Where does this 192.168.3.0/24 come from? It was from your other reply.

 

 

mgru wrote

  @Clive_A 

The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.

 

I want to implement a simple scenario on TP-Link devices:

Router A (ER-605 192.168.1.0/24)

  1. Permanent IPsec LAN-to-LAN connection to another location to Router B (ER605 192.168.3.0/24).
  2. VPN access via WireGuard through Router A => I want to have access to the local subnets of Router A and Router B.

 

Is this possible?

 

In my opinion, the issue lies with Router B it seems that it is not correctly routing the packets back to Router A.

 

 

 

Yes. Possible. I read your post 30 minutes ago and I sent 30 minutes to set up the topology and test and screenshot the results.

It is a config issue with your setup.

 

You missed the IPsec entry. There are four counts of the entry.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#9
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-15 09:34:05 - last edited 2023-12-15 09:34:21

  @Clive_A 

 

In the first email, I provided the addresses: 192.168.0.1/24 and 192.168.1.1/24. There was a request for screenshots, but I don't have remote access to that client, so I sent screenshots from another client where the scenario is identical, but the addressing is 192.168.1.1/24 and 192.168.3.1/24. I mentioned this at the end of post #4.

  0  
  0  
#10
Options
Re:WireGuard VPN to Remote IPSEC network.
2023-12-15 09:42:29

Hi @mgru 

Thanks for posting in our business forum.

mgru wrote

  @Clive_A 

 

In the first email, I provided the addresses: 192.168.0.1/24 and 192.168.1.1/24. There was a request for screenshots, but I don't have remote access to that client, so I sent screenshots from another client where the scenario is identical, but the addressing is 192.168.1.1/24 and 192.168.3.1/24. I mentioned this at the end of post #4.

Anyway, it works. And I gave the replication of what you need to do above. With a screenshot of the verification.

It would be great if you could give a diagram if you cannot describe it clearly. If it is 192.168.0.1 and 192.168.1.1, the IPsec was wrong in your screenshot. Subnet is 192.168.1.1 and 192.168.3.1. I see no 192.168.0.1. It does not match and shows inconsistency.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#11
Options