Routing inconsistent with s2s tunnel
I am facing a problem for which I have not been able to identify the root cause. I have an IKeV1 site to site tunnel between ER605 and EdgerouterX. The tunnel is up and working but some of my clients are not able to access its subnet.
As a test I tried to do a tracert (windows) and traceroute (linux) from multiple clients on the ER605 router side trying to find the route of the edgerouter.
Some clients show 2 hops: Hop1 is the er605 gateway and Hop2 is the edgerouter
Other clients never complete the traceroute with hop1 being the er605 gateway and hop 2 going out to the internet
I looked at the routing table in the insight pane of omada and ther is nothing out of the ordinary. I even tried to create a static route with next hop being the ip of EdgerouterX but that did not help.
Can anyone point in a direction to identify the issue with this weird behaviour?
Thank you
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thank you for all your comments! I was not expecting multiple people and someone from tp to answer so fast. After reading all the comments I made a list and went through them one by one. I then started typing a response and taking screenshots with the hope of getting some additional help from all of you. As i did I noticed someting wrong in the tunnel configuration on the edgerouter side. My LAN on the er605 is 192.168.200.0/21 but on the edgerouter i had entered 192.168.200.0/23 and it finally clicked. The edgerouter sends the lan ip to the er605 which get configured on the tunnel and is also dispalyed under vpn status. All my clients with ips above 192.168.201.255 where not able to traverse the tunnel.
Thank you again for the support. I feel dumb having spent a few days trying to fix it. I even setup a cloudflare tunnel because i was convinced it was a bug in the er605.
- Copy Link
- Report Inappropriate Content
@S3rg3 The issue you're experiencing with the IKEv1 site-to-site tunnel between the ER605 and EdgerouterX, where some clients are unable to access the subnet, seems to be related to routing inconsistencies. Since some clients can trace the route correctly through both hops (ER605 and Edgerouter), while others are diverted to the internet after the first hop, it suggests there might be a problem with how certain clients' traffic is being routed. This could be due to various factors such as IP routing conflicts, subnet mask mismatches, or access control lists (ACLs) settings on the ER605. Checking these settings and ensuring that all clients are configured correctly to follow the intended path through the tunnel could help resolve the issue. Additionally, verifying that the static route you created is correctly configured and active, and that there are no conflicting routes in the routing table, might also assist in troubleshooting this problem.
- Copy Link
- Report Inappropriate Content
I don't know how the edge router is configured, but I assume it's something similar as unifi usg. there are two choices one is router based and policy based vpn,
A third-party router is recommended for policy-based routing, then you must create a routing to the remote network and select the VPN interface.
but as I said, I don't know if it's quite the same on the edge router.
on uxg-pro and udm-pro I use router based vpn to ER8411 and it work, but i have not tested older routers like usg to tp-link.
if you can show us a screenshot of the vpn configuration of the edge router.
The tp-link routers are actually quite good at site to site Ipscec vpn so I don't think the fault lies there, but if you have a screen of tp-link to
- Copy Link
- Report Inappropriate Content
Hi @S3rg3
Thanks for posting in our business forum.
Like MR.S said. I am very suspicious about your description when you wrote.
S3rg3 wrote
As a test I tried to do a tracert (windows) and traceroute (linux) from multiple clients on the ER605 router side trying to find the route of the edgerouter.
Some clients show 2 hops: Hop1 is the er605 gateway and Hop2 is the edgerouter
Other clients never complete the traceroute with hop1 being the er605 gateway and hop 2 going out to the internet
So, have you verified your settings are correct? Is there a misconfiguration in your site-to-site setting?
I don't believe that the VPN would incorrectly route it in that way.
If your IP is a private IP address, it'll follow the IPsec routing table strictly. It should not route to the Internet on the 2nd hop.
Would love to see your verification steps with screenshots, problem explanation with screenshots, and network diagram and config. Will follow it up. No worries.
- Copy Link
- Report Inappropriate Content
Thank you for all your comments! I was not expecting multiple people and someone from tp to answer so fast. After reading all the comments I made a list and went through them one by one. I then started typing a response and taking screenshots with the hope of getting some additional help from all of you. As i did I noticed someting wrong in the tunnel configuration on the edgerouter side. My LAN on the er605 is 192.168.200.0/21 but on the edgerouter i had entered 192.168.200.0/23 and it finally clicked. The edgerouter sends the lan ip to the er605 which get configured on the tunnel and is also dispalyed under vpn status. All my clients with ips above 192.168.201.255 where not able to traverse the tunnel.
Thank you again for the support. I feel dumb having spent a few days trying to fix it. I even setup a cloudflare tunnel because i was convinced it was a bug in the er605.
- Copy Link
- Report Inappropriate Content
Hi @S3rg3
S3rg3 wrote
Thank you for all your comments! I was not expecting multiple people and someone from tp to answer so fast. After reading all the comments I made a list and went through them one by one. I then started typing a response and taking screenshots with the hope of getting some additional help from all of you. As i did I noticed someting wrong in the tunnel configuration on the edgerouter side. My LAN on the er605 is 192.168.200.0/21 but on the edgerouter i had entered 192.168.200.0/23 and it finally clicked. The edgerouter sends the lan ip to the er605 which get configured on the tunnel and is also dispalyed under vpn status. All my clients with ips above 192.168.201.255 where not able to traverse the tunnel.
Thank you again for the support. I feel dumb having spent a few days trying to fix it. I even setup a cloudflare tunnel because i was convinced it was a bug in the er605.
This happens to anyone. Even skilled people can also make mistakes. I was once in your shoes. No worries. I felt dumb too when I found out it was my mistakes or typos in the config that messed things up.
Glad it's been resolved.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 713
Replies: 5
Voters 0
No one has voted for it yet.