IPSec LAN-LAN Full Tunnel

IPSec LAN-LAN Full Tunnel

IPSec LAN-LAN Full Tunnel
IPSec LAN-LAN Full Tunnel
2024-10-26 19:55:39 - last edited 2024-10-26 20:05:07
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.5

I have an IPSec IKEv2 LAN-LAN VPN configured on my ER605 (initiator). It functions as expected, and I'm able to bi-directionally access devices on each side of the VPN.

 

On my Initiator side, I'd like to route all traffic through the VPN tunnel. By default, it routes all public-bound traffic through the Initiator's WAN, but I need it to go through the VPN to the Responder's WAN and out through there.

 

I have tried the following:

  • My IPSec IKEv2 VPN doesn't appear as an option under Policy Routing, so I can't use that
  • I tried a static route for 0.0.0.0 (mask 0.0.0.0) with next hop as the Responder router's IP, and tried with both LAN and WAN interface, but it says "Invalid Parameters".
  • I tried setting my Responder router's IP as the "Default Gateway" for my Initiator's DHCP settings, but that kills all connectivity outside of the LAN.

 

What am I missing here? How can I achieve this? I can't imagine that a business VPN router wouldn't have a way to route all traffic through the VPN, as that's an important feature for any business network.

  0      
  0      
#1
Options
5 Reply
Re:IPSec LAN-LAN Full Tunnel
3 weeks ago

  @SomeNetEngineer 

what you want is not possible with IPsec site to site.
That's probably why it's called site to site ;-)

 

  0  
  0  
#2
Options
Re:IPSec LAN-LAN Full Tunnel
3 weeks ago

  @MR.S "Site-to-Site" just means that it's connecting two sites, not a client to a site. It has nothing to do with how traffic is routed. There are plenty of corporate Site-to-Site VPNs that run all traffic from a remote site through the headquarters site.

 

What I'm confused about is why I can't get it to work with routing rules. I should be able to create a static route directing all traffic through the VPN, but it just doesn't work. Perhaps I also need a static route on the responder side?

  0  
  0  
#3
Options
Re:IPSec LAN-LAN Full Tunnel
3 weeks ago

  @SomeNetEngineer 

 

do you have any examples of who can do what you want with IPsec site to site, I am very interested in that.

 

you can proxy out on the remote site with L2TP/IPsec but not IPsec site to Site. 

 

but give me an example of who can proxy out on the remote site with IPsec site to site. 

 

 

 

  0  
  0  
#4
Options
Re:IPSec LAN-LAN Full Tunnel
3 weeks ago

  @SomeNetEngineer 

 

Find "full tunnel" on this page. It's a site-to-site IKEv2 (IPSec) full tunnel where all traffic can be directed over it.

  0  
  0  
#5
Options
Re:IPSec LAN-LAN Full Tunnel
3 weeks ago

  @SomeNetEngineer 

 

Cisco has probably built in a slightly different technology than standard IPsec site to site in this solution. with Omada and most other solutions this is not possible, But mybe it may come together with SD-WAN which is notified in version 5.15.20 of Omada. 

 

 

 

 

  0  
  0  
#6
Options