Enterprise Virtual Private Network / HUB-SPOKE configuration (TL-ER604W)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Enterprise Virtual Private Network / HUB-SPOKE configuration (TL-ER604W)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Enterprise Virtual Private Network / HUB-SPOKE configuration (TL-ER604W)
Enterprise Virtual Private Network / HUB-SPOKE configuration (TL-ER604W)
2014-12-19 09:55:45 - last edited 2021-08-21 04:33:22
Region : United States of America

Model : TL-ER604W

Hardware Version: v1.0

Firmware Version : 1.1.0 Build 20141031 Rel.32628s

ISP :


It has recently been brought to my attention that very few documentation exists on how to configure an Enterprise Virtual Private Network utilizing IPSEC with TP-Link vpn routers. The follow diagram illustrates the current capability of the TL-ER604W to connect multiple remote offices with distinct network subnets to a central hub/core router.



The following strategies will be achieved:
a) Each remote office will route all traffic via the hub/core router.
b) Each remote office will be able to communicate with the subnet physically connected to the hub/core router.
c) Each remote office will be able to communicate with each additional distinct remote office by routing traffic through the hub/core router.
d) Each remote office router will have distinct credentials to establish a VPN with the hub/core router.

Hub/Core router configurations.

IKE
1) Create IKE Proposals specific for your application and region.
2) IKE Policies control the portion of IPSEC phase 1 negotiation that we are concerned with. Here is where we establish individual remote office/spoke credentials.
Currently, IP Address and Fully Qualified Domain Name are the only options at the time of this tutorial. Fully Qualified User Name and DER ASN.1 DN have not been implemented at this time. (x.509v3 and XAUTH has been taken into consideration for future firmware release per TP-Link support ticket#84358)
3) In this example we are using the DYNdns name of our remote office/spokes. For proper DNS resolution make sure to set DYNdns name servers on your TL-ER604W.
4) Set identical Local ID but different Remote ID per remote office/spoke
5) Set distinct Pre-Shared Key per remote office/spoke
6) Add additional remote office/spokes as needed.








IPSEC
1) In order to route traffic to all networks participating in our Hub-Spoke network configuration we need to make a single IPSEC policy.
2) In our example the Hub/core router is on network 192.168.7.0/24
3) We will need to do a route summarization in the Local Subnet for each LAN-to-LAN IPsec policy to establish connectivity to our network from any given remote office.










Remote office/Spoke router configurations.

IKE - Spoke1.dyndns.org
1) The configurations will be the reverse of the local and remote id values listed in the core router configurations.
2) This Pre-shared key is unique to spoke1.dyndns.org only, all other spokes have their own unique Pre-shared keys.




IPSEC - Spoke1.dyndns.org
1) The configurations will be the reverse of the local and remote subnet values listed in the core router configurations.
2) Follow this template for additional Spokes.




After all remote office/spokes have established IPSEC SA with the hub/core router.

a) Each remote office will route all traffic via the hub/core router.
b) Each remote office will be able to communicate with the subnet physically connected to the hub/core router.
c) Each remote office will be able to communicate with each other distinct remote office by routing traffic through the hub/core router.
d) Each remote office router will have distinct credentials to establish a VPN with the hub/core router.

Note: Additional NAT and Firewall Access Rules may need to be created to allow traffic to the internet and to remote offices (i.e. WWW, FTP, PING, TRACEROUTE, etc...)

Note: This solution only applies to the TL-ER604W. TP-Link support has stated that these changes will be coming soon to the TL-ER6021 & TL-ER6020 Model VPN routers, TP-Link support ticket#88118
  0      
  0      
#1
Options