TL-R605 create multiple site-to-site IPSEC VPNs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TL-R605 create multiple site-to-site IPSEC VPNs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TL-R605 create multiple site-to-site IPSEC VPNs
TL-R605 create multiple site-to-site IPSEC VPNs
2021-09-07 01:09:20
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.1.1

I have two sites A and B, connected by an automatic IPSEC site-to-site link. Site A has the OC200 controller. Everything seems to work fine.

 

I also have client-to-site OpenVPNs set up to connect remote users to both sites when needed. 

 

Now I want to connect a second site-to-site VPN to site B, to connect to a client's network.

 

However when I go to create a manual site-to-site ipsec VPN, I always get an error message that 'The local subnet and remote subnet cannot overlap with those of existing Ipsec VPN policies.'

 

I understand that the remote subnets need to not overlap (although as other posters have noted, that rule should really only be enforced at the time that the VPN is enabled, so you can switch between multiple similar configurations).

 

But it seems to be also expecting the local subnets to be unique, which seems unnecessary - the whole point of a VPN is to route traffic between your local network and a remote location. You'd expect the local subnet to be the same for most of your VPNs, wouldn't you?

 

If I create a second LAN with a different subnet, and configure the VPN to use that as the local network, then I can add the VPN configuration ok. Which confirms that the problem is having the same local subnet on two IPSEC configs. I might be able to make that work in my case, but since the default LAN network insists on also hogging untagged traffic on every LAN port, I suspect I'm also going to have to add a managed switch that can tag the traffic. 

 

There is so much that is so good about the Omada environment, but it seems like it keeps failing on even fairly simple use cases. 

 

Anyone have any ideas what I'm doing wrong, or have any workarounds?

 

  0      
  0      
#1
Options
2 Reply
Re:TL-R605 create multiple site-to-site IPSEC VPNs
2021-09-08 03:10:56

@3Pro 

 

Hey,

 

I created two manual IPSec policies without this problem. I think auto IPSec has a lot of bugs. I will not advise this type.

  0  
  0  
#2
Options
Re:TL-R605 create multiple site-to-site IPSEC VPNs
2021-09-08 03:41:46

Dear @3Pro,

 

3Pro wrote

I have two sites A and B, connected by an automatic IPSEC site-to-site link. Site A has the OC200 controller. Everything seems to work fine.

I also have client-to-site OpenVPNs set up to connect remote users to both sites when needed. 

Now I want to connect a second site-to-site VPN to site B, to connect to a client's network.

However when I go to create a manual site-to-site ipsec VPN, I always get an error message that 'The local subnet and remote subnet cannot overlap with those of existing Ipsec VPN policies.'

 

For your case, I'd like to escalate to the TP-Link support team who could help you more efficiently.

They will reach you via your registered email address shortly, please pay attention to your email box later.

Once the issue is addressed or resolved, I'd encourage you to share it with the community.

Thank you so much for your cooperation and support!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options