VPN Tunnel to different locations with the same internal networks


#1

It appears currently Peplink does not support VPN tunnels to different locations with the same internal networks.

Attached is an example of how this is achieved with another product. Basically it requires the ability at the hub to specify a virtual subnet as the remote subnet but more importantly for the spoke Peplink to be able to Destination NAT this traffic from the Virtual Subnet to the real LAN subnet. This is a frequent requirement for us among OEM type customers and it would be great to be able to offer a Peplink version of the solution!




#2

Hello,

We actually already support this feature and types of deployment. (SpeedFusion/PepVPN only)

Nat Mode:
The remote unit VPN will be assigned with an IP address from the local DHCP server. All the remote side traffic via this VPN will go through Network Address Translation (NAT) using the assigned IP address.

You may enable by:



#3

Hi Jared - fast response! Am I right to assume “remote” = spoke and “local” = hub?

Can you discuss this with Ron Case? Ron and I have traded a few e-mails and there are two different variations here:

  1. Spoke units get an IP from the Hub DHCP pool; this can support spoke LAN initiated traffic to the Hub but not always hub side initiated traffic to unique hosts in the spoke LAN. In some implementations, hub lan to spoke lan is supported via Port Forwarding at the spoke which will work for some applications, but I understood Ron to mean even this was only in development and not available today.
  2. If you refer to my diagrams, you’ll see hub LAN devices can actually initiate comms to individual devices by IP in the spoke LAN - the key is they have to target virtual IPs that eventually get NATed to the real IPs. This scenarios is more comprehensive than scenario 1 as it allows full hub lan to spoke lan comms with no port forwarding.

Can you talk to Ron, re-review my attachments, and provide feedback as to which of the above scenarios is supported and which are on roadmap? You can PM me or get my full contact info from Ron if its easier to discuss on a call.


#4

Hello,

Ahh thanks for clearly that up, we can’t totally support what you are looking for but let’s get engineerings take.


#5

Any update here Jarid?


#6

Hi,

We do received similiar request previously. We target to support in v6.3. Stay tuned.


#7

TK,

If I’m not mistaken it looks like Peplink added support for this when using IPSec VPN:

Is there any plans to make similar functionality available when using PepVPN?


#8

Hi John,

We will support the similar feature. Below is the example.

(192.168.2.0/24) Branch —SF NAT mode—> HQ (192.168.1.0/24)

  • 192.168.2.0/24 will be NAT to 192.168.1.2 (a reserved IP) when accessing HQ’s hosts.

(192.168.2.0/24) Branch <—SF NAT mode— HQ (192.168.1.0/24)

  • 192.168.1.0/24 can access Branch’s host with IP 192.168.1.2 (a reserved IP) via Port Forwarding.