I have an IPsec VPN setup from a Balance 20 to a remote site. I would like to send traffic through it.
When I go to Outbound Policy, the VPN doesn’t show up in the list of enforced routes. Only SpeedfusionVPN’s show up.
So how do I send some traffic but not all traffic through the IPsec VPN? Otherwise, what’s the use?
This seems to be a artificial limitation to force use of Speedfushion, but there are a lot of devices out there that are not a Peplink.
In Peplink’s world, IPSEC is for site to site traffic. You define the networks that are available at the remote end and traffic for those networks will pass that way.
You can optionally define 0.0.0.0/0 as a remote network and by default all traffic will route that way. This is used for cloud based filtering / firewall services that work using IPSEC.
Thank you for your reply Martin
So currently, the remote side can ping me, but I can’t ping them.
From what you stated, How do I define the network at the remote end so that the traffic will pass that way? Can you explain in more detail please.
The remote end is using public IP ranges that are actually on their LAN, as if they were 10. or 192.168. networks. So when I ping the IP address I need to have the traffic go through the VPN for just their specific subnet such as 1.2.3.xxx rather than it searching the real internet.
If I set it so that all traffic goes through the VPN, then my internet browsing and everything else would cease to function since the VPN is only for a specific task.
If you setup the IPSEC tunnel as policy based, you will define the local and remote network in the profile, and that is where the remote network is added to the local routing table.
If you setup the IPSEC tunnel as route based, it created a tunnel interface instead, and then you will use Outbound Policy to define which traffic will go over the tunnel.
If you create a policy based profile, then switch it to route based, then back to policy, there is a bug in the UI which will prevent you from setting it up correctly. You simply need to delete and re-create the policy based IPSEC profile.
Also check your firewall rules for issues, just in case, unless you’ve left the default allow any/any.
Hope that helps.
How do you setup a policy based tunnel?
My current Stumbling Point is that the Outbound Policy does not allow me to select the IPsec VPN. I need segmented traffic to go through this VPN, not all traffic.
I am receiving traffic as the other end can route to me, but I’m unable to route to them, I suspect because I don’t seem to be able to route to them using the Outbound Policy setup.
Check your IPSEC profile under “IPSEC Type”-
Policy-based: traffic to the remote is defined by the remote networks.
Route-based: Outbound Policy will determine which traffic is routed.
If you aren’t seeing the IPSEC profile in your Outbound Policy list, then the profile is policy-based. You’ll need to switch it to route-based for it to appear in Outbound Policy.
I’ve encountered a bug where switching it after creation causes issues, you might want to delete it and recreate it.
TL;DR
To define traffic for IPSEC, under “IPSEC Type” use either policy-based and add the remote network segments in the profile, or route-based and then use Outbound Policy.
Hope that makes sense. It can definitely do what you are wanting it to do.
Thank you Marcelo. So the part I’m missing is I am unable to select IPSec as my Connection on Outbound Policy Enforced. I can only select the WAN’s from the dropdown. If it we’re a PepVPN, it would appear in the dropdown. IP Sec VPN’s don’t. I’m on a Balance 20 with 8.1.3 build 5021
Hi.
You need to update your box… I am using 8.2.1s183 build 5462.
Ok, thanks. I’ll do that tonight, once the users are off the system.
You probably need to run a firmware update if the option is missing. 8.2.1 or higher. Most of mine are on 8.3. Once you do that, then you should see it from within the configured IPSEC profile.
Ok, I’ve updated the box. No dice. IPsec VPN’s don’t appear in the Outbound Policy, Enforced Connection drop down.
I’m still only able to select WAN connection. (or Speedfusion VPN’s if I create one.)
I’m using a Peplink Balance 20 BPL-021 Hardware Revision 8, Firmware 8.3.0 build 5106 downloaded yesterday.
Shoot. still not there and am on 8.3.0 now, downloaded and installed yesterday.
When I click New Profile on IPsec VPN Profiles, it takes me straight to the setup screen. The setup screen does not have an IPsec Type option.
You may need to factory reset your balance 20. Could also open a support ticket with peplink, they can remote in and run some diagnostics and try to figure out why it’s now working like it’s supposed to.
FYI for others: Only certain newer hardware versions allow what is describled above. On the Balance One/Two for instance, you have to have HW4 or higher.
That would explain it. You should still be able to get it work as policy based though. The defined “remote networks” will be system routes. Make sure you don’t have any conflicting routes configured that are shorter distance. I set almost all mine up policy based, and they work flawless. No outbound policies needed.
