WireGuard VPN to Remote IPSEC network.
WireGuard VPN to Remote IPSEC network.
I have ER605 routers in two company locations.
Location A) Subnet 192.168.0.x
Location B) Subnet 192.168.1.x
I have set up an IPsec LAN-to-LAN tunnel from Location A to Location B. I connect to Location A from various computers using WireGuard.
I would like to access both subnets through WireGuard clients. I can reach all addresses from the local subnet, but only 192.168.0.x through WireGuard.
Is it possible to reach a remote ipsec location via WireGuard?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @mgru
Thanks for posting in our business forum.
mgru wrote
The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.
So I read again, it is all messed up.
You said in the OP
Where does this 192.168.3.0/24 come from? It was from your other reply.
mgru wrote
The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.
I want to implement a simple scenario on TP-Link devices:
Router A (ER-605 192.168.1.0/24)
- Permanent IPsec LAN-to-LAN connection to another location to Router B (ER605 192.168.3.0/24).
- VPN access via WireGuard through Router A => I want to have access to the local subnets of Router A and Router B.
Is this possible?
In my opinion, the issue lies with Router B it seems that it is not correctly routing the packets back to Router A.
Yes. Possible. I read your post 30 minutes ago and I sent 30 minutes to set up the topology and test and screenshot the results.
It is a config issue with your setup.
You missed the IPsec entry. There are four counts of the entry.
- Copy Link
- Report Inappropriate Content
Hi @mgru
Thanks for posting in our business forum.
Modify the Allowed-IPs. Understand why it is important. It is basically the core of the WG VPN.
Configuration Guide How to Configure WireGuard VPN on Omada Controller
- Copy Link
- Report Inappropriate Content
I have configured the allowed IP on the client as 192.168.0.0/16. I also changed it to all addresses 0.0.0.0/0 - The result is the same: there is no access from the WireGuard client to the IPsec VPN tunnel established with location B. Access to 192.168.0.x is working.
I think it's not an issue with allowed IP.
- Copy Link
- Report Inappropriate Content
@mgru The identical scenario in a different location also doesn't work. The addressing is slightly different than in the first post.
- Copy Link
- Report Inappropriate Content
Hi @mgru
Thanks for posting in our business forum.
Can you set it to two subnets? 192.168.0.0/24 and 192.168.3.0/24
192.168.0.0/16 is not technically correct. I am not sure if this affects it or not. But it is not right.
- Copy Link
- Report Inappropriate Content
Hello, thanks for answer.
1)
If set 192.168.1.0/24, then i can connect to network 192.168.1.x, but not 192.168.3.x.
If set 192.168.3.0/24, then i can't connect to both.
I found similar cases described on Reddit with both (WireGuard and Ipsec) on ER605, and other individuals had the same issue. No responses to the posts.
2) by the way, I don't see any tunnels in the network interfaces. Not in the routing tables either. Is it possible to additionally direct some traffic through the tunnel by adding static routing?
I found that people asked a similar question in 2019/2020 for Archer C6 and they also did not get an answer (https://community.tp-link.com/en/home/forum/topic/173622). Maybe omada works in a similar way?
3) ping/traceroute from "system tools / diagnostics" does not work properly for tunneled traffic. I ping addresses that are definitely working and I can communicate with them - and there is no ICMP response in the tools.
- Copy Link
- Report Inappropriate Content
Hi @mgru
Thanks for posting in our business forum.
mgru wrote
Hello, thanks for answer.
1)
If set 192.168.1.0/24, then i can connect to network 192.168.1.x, but not 192.168.3.x.
If set 192.168.3.0/24, then i can't connect to both.
I found similar cases described on Reddit with both (WireGuard and Ipsec) on ER605, and other individuals had the same issue. No responses to the posts.
Of course, you cannot access it when you put 192.168.1.0/24. Nah. This is not a bug.
Google how subnet works and subnet calculator It is really the basic knowledge when you tweak the subnets.
I pointed out that you were setting the wrong subnets because the C class subnet did not work that way.
And based on what you said here if 192.168.1.0/24 works for anything in 192.168.1.0/24, then it is correct and WG is working.
But if you say that you set this 192.168.3.0/24? And you are certain you did not make a mistake in your sentence. I gotta ask a big WHY. (I read again what you original post and I don't see the point in putting 192.168.3.1/24 in allowed-ips.
Read the WG configuration guide on the forum. We are not on the same page in these concepts: what WG Allowed-IPs mean and how subnet works.
Please take some time to digest.
mgru wrote
2) by the way, I don't see any tunnels in the network interfaces. Not in the routing tables either. Is it possible to additionally direct some traffic through the tunnel by adding static routing?
I found that people asked a similar question in 2019/2020 for Archer C6 and they also did not get an answer (https://community.tp-link.com/en/home/forum/topic/173622). Maybe omada works in a similar way?
Network Interface? What do you mean by this specifically? Is this a term in our device? Or you refer to the Routing Table?
VPN routings are not listed in the Routing Table. Not just applied to the WG VPN. This was explained once before when I answered someone else on the forum. Unlike WindowsOS where you see all the existing routing entries.
No.
mgru wrote
3) ping/traceroute from "system tools / diagnostics" does not work properly for tunneled traffic. I ping addresses that are definitely working and I can communicate with them - and there is no ICMP response in the tools.
If you don't pick the right interface or if it does not list the VPN tunnel, it does not make sense to use it. I recall that the VPN tunnel is not listed/supported.
- Copy Link
- Report Inappropriate Content
The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.
I want to implement a simple scenario on TP-Link devices:
Router A (ER-605 192.168.1.0/24)
- Permanent IPsec LAN-to-LAN connection to another location to Router B (ER605 192.168.3.0/24).
- VPN access via WireGuard through Router A => I want to have access to the local subnets of Router A and Router B.
Is this possible?
In my opinion, the issue lies with Router B it seems that it is not correctly routing the packets back to Router A.
- Copy Link
- Report Inappropriate Content
Hi @mgru
Thanks for posting in our business forum.
mgru wrote
The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.
So I read again, it is all messed up.
You said in the OP
Where does this 192.168.3.0/24 come from? It was from your other reply.
mgru wrote
The response comes down to a discussion of whether I understand subnetting, etc. This conversation in that direction doesn't make sense. I am proficient in subnetting. The experiments with changing the mask in the context of WireGuard were only to illustrate a scenario.
I want to implement a simple scenario on TP-Link devices:
Router A (ER-605 192.168.1.0/24)
- Permanent IPsec LAN-to-LAN connection to another location to Router B (ER605 192.168.3.0/24).
- VPN access via WireGuard through Router A => I want to have access to the local subnets of Router A and Router B.
Is this possible?
In my opinion, the issue lies with Router B it seems that it is not correctly routing the packets back to Router A.
Yes. Possible. I read your post 30 minutes ago and I sent 30 minutes to set up the topology and test and screenshot the results.
It is a config issue with your setup.
You missed the IPsec entry. There are four counts of the entry.
- Copy Link
- Report Inappropriate Content
In the first email, I provided the addresses: 192.168.0.1/24 and 192.168.1.1/24. There was a request for screenshots, but I don't have remote access to that client, so I sent screenshots from another client where the scenario is identical, but the addressing is 192.168.1.1/24 and 192.168.3.1/24. I mentioned this at the end of post #4.
- Copy Link
- Report Inappropriate Content
Hi @mgru
Thanks for posting in our business forum.
mgru wrote
In the first email, I provided the addresses: 192.168.0.1/24 and 192.168.1.1/24. There was a request for screenshots, but I don't have remote access to that client, so I sent screenshots from another client where the scenario is identical, but the addressing is 192.168.1.1/24 and 192.168.3.1/24. I mentioned this at the end of post #4.
Anyway, it works. And I gave the replication of what you need to do above. With a screenshot of the verification.
It would be great if you could give a diagram if you cannot describe it clearly. If it is 192.168.0.1 and 192.168.1.1, the IPsec was wrong in your screenshot. Subnet is 192.168.1.1 and 192.168.3.1. I see no 192.168.0.1. It does not match and shows inconsistency.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1562
Replies: 12
Voters 0
No one has voted for it yet.