How to configure IPSec LAN to LAN VPN for multiple subnets using the new GUI
TL-R600VPN( V4 ) , TL-ER6120( V2 V3 ) , TL-ER6020( V2 )
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
This article mainly introduces how to configure IPSec LAN to LAN VPN for multiple subnets, if you have any other problems about how to configure VPN connections, please refer to Configuration Guide for VPN.
Topology and requirements
- VPN Router_1 and VPN Router_2 connect together via IPSec VPN.
- PC_1 in remote subnet 192.168.10.0/24 could access PC_2 in local subnet 192.168.20.0/24
- PC_1 in remote subnet 192.168.10.0/24 could access PC_3 in local subnet 192.168.30.0/24
- PC_1 in remote subnet 192.168.10.0/24 could access PC_4 in local subnet 192.168.40.0/24
Configurations on VPN Router
Apart from configuring VPN connections on VPN Routers, we shall also configure Static Routing and Multi-Nets NAT on VPN Router which contains multiple subnets (In this example it is VPN Router_2).
1. Configure IPSec VPN connection on two VPN Router
We shall configure IPsec VPN Tunnel for each subnets so that packets in those subnets could go through the VPN connection. In this example, we configure three IPsec VPN Tunnel on VPN > IPSec > IPSec Polocy as follows:
When the IPSec VPN Tunnel connected, you could see entries on VPN > IPSec > IPSec SA as follows:
2. Configure Static Route on VPN Router_2
Static Route is required to make sure that packets sent from the remote subnet 192.168.10.0/24 could be forwarded to different subnets. Here we shall configure the IP address of switch as the Next Hop for packets send to each subnets different from LAN of VPN Router_2 on Transmission > Routing > Static Route as follows:
3. Configure Multi-Nets NAT on VPN Router_2 (Optional)
Multi-Nets NAT is configured to enable the Internet access of different subnets. If you don’t configure it, your VPN connection for different subnets would not be affected, thus you could configured it according to your actual requirement. In this example we could configure it on Transmission > NAT > Multi-Nets NAT as follows:
Configurations on L2+/L3 Switch
On L2+/L3 Switch, we shall configure Static Routing and Interface so that packets in different subnets could be transmitted between this L2+/L3 Switch and VPN Router_2.
1. Configure Interface for different subnets on L2+/L3 Switch
We need to configure Interface for each subnets so that packets could be forwarded between this subnet and L2+/L3 Switch. Go to L3 FEATURES > Interface > Interface Config > Edit IPv4 to configure it as follows
2. Configure Static Routing on L2+/L3 Switch
Here the Static Routing entry performs as default gateway. It would send all packets to VPN Router_2 to forward to the remote site of VPN Tunnel or access Internet. Go to L3 FEATURES > Static Routing > IPv4 Static Routing to configure it as follows:
Finally, after configuring Interface and Static Routing, we could the routing table on L3 FEATURES > Routing Tables > IPv4 Routing Table as follows:
Looking for More
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Zendesk
OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au