Community discussions

 
howdey57
newbie
Topic Author
Posts: 27
Joined: Wed Dec 31, 2014 2:36 pm

How do I: Route with ipsec and L2TP?

Sun Aug 12, 2018 9:13 pm

Noobie question: I don't yet have a config problem. I just don't know where to start.

I have 2 networks with different subnets joined by a new IPsec VPN. When away from the network, i connect using my laptop using a L2TP VPN.

My question is: what do I need to use to be able to get to the "far" network when I connect my laptop via the L2TP VPN to the "near' network. When using a pc connected directly to either subnet I can get to the other one.

I haven't added any routes but suspect I have to. Any pointers to get me started would be appreciated.

Thanks,
Charles
 
sindy
Forum Guru
Forum Guru
Posts: 1970
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do I: Route with ipsec and L2TP?

Mon Aug 13, 2018 12:04 am

It depends on the ranges you assign to the L2TP clients. If your site-to-site tunnel uses plain IPsec, you currently use ipsec policies with src-address=site-A-lan-subnet and dst-address=site-B-lan-subnet and vice versa. If you assign the L2TP clients on each site addresses from these existing LAN subnets, you don't need to change anything, except that in such case the arp parameter of the LAN interfaces has to be set to proxy-arp. If you choose a separate pool for L2TP clients, you have to add matching IPsec policies, site-A-lan-subnet<->site-B-l2tp-subnet and site-A-l2tp-subnet<->site-B-lan-subnet.

If your site-to-site tunnel uses "something over IPsec" (something=gre,ipip,eoip...), then the above is still true except that you have to use normal routes instead of ipsec policies in the second case.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace each occurrence of any public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
howdey57
newbie
Topic Author
Posts: 27
Joined: Wed Dec 31, 2014 2:36 pm

Re: How do I: Route with ipsec and L2TP?

Mon Aug 13, 2018 1:11 am

Thank you sindy. That worked. I changed the pool to the same subnet and changed the profile to proxy-arp on the bridge only and things seem to work now.

Charles

Who is online

Users browsing this forum: No registered users and 34 guests