VPN traffic is not being forwarded though peplink


#1

Hi Team,

How do I forward IPsec traffic for the peer residing behind Peplink? Below is my scenario and wanted a help from peplink perspective and wanted to know what changes do I need to make on peplink?

RemoteLAN[10.10.99.0/24]-----[10.10.99.1]Forinet[1.2.3.4]===INTERNET===[5.6.7.8 ISP1 & 7.8.9.10 ISP2]Peplink[10.1.1.1]—[10.1.1.2][Firewall]—192.168.100/24

So I have remote encryption domain as 10.10.99.0/24
And mine is 192.168.100.0/24
My firewall is natted with 5.6.7.8 <–> 10.1.1.2

And I have tunnel built from my firewall to Fortinet. IPsec tunnel shows up and route is added on my firewall for 10.10.10.99.0/24 NH 10.1.1.1
but traffic is being forwarded to 7.8.9.0 and not able to ping other end.

Is there any other configuration needed for VPN pass through?


#2

Hi,

I think this route - 10.10.99.0/24 —> 10.1.1.1 is not needed since traffic between 10.10.99.0/24 and 192.168.100.0/24 was encrypted in IPSec tunnel.

Please enable IPsec NAT-T passthrough via Network > Service Passthrough > IPsec NAT-T. Please define custom ports if your IPSec ports are out of UDP ports 500, 4500, and 10000.

Hope this help.


#3

Hello,

So when I do tracert to 10.10.99.x it takes other ISP so do I need to add outbound policy?And where do I add custom ports for IPsec?


#4

Hi,

10.10.99.0/24 —> (10.10.99.1)Fortinet(1.2.3.4) —> INTERNET <— (ISP1 & ISP2)Peplink(10.1.1.1) <— (10.1.1.2)Firewall <— 192.168.100/24
---------------------------|---------------------------------------------------------------------------------------------------------|
----------------------------------------------------------------------------IPSec tunnel--------------------------------------------

Please find the diagram above. Your routing path will be Source host > Firewall > IPSec tunnel > Fortinet > Destination host when you perform trace route from 192.168.100.0/24 to 10.10.99.0/24. This was invisible by Peplink router.

Please find the screenshot below to add custom ports for IPsec. Please take note Peplink will route IPSec traffic to WAN1 by default after enabled IPsec NAT-T passthrough.



#5

I see, but in this case my Firewall is natted with WAN3 IP and per you since the traffic will be forwarded to WAN1 by default when IPsec pass-through enabled. How do I make it routed through WAN3 then?


#6

Again the issue I see is and you are absolutely right the destination encryption domain should be invisible to peplink as it is an site-to-site tunnel. But when I tracert 10.10.99.x IP I can see the peplik IP and then traffic is forwarded to Internet through WAN1 as I stated in my other post.


#7

Hi,

Please find the screenshot below.


This shouldn’t happen. Please check the settings in Firewall. Look like you are having problem in phase 2 settings.