IPSec VPN only allows remote client to access some internal IPs

[MaplewoodGeek]

I have setup my RT-AX92U router with the IPSec VPN enabled. I can connect from a remote client using both Windows and Android. Unfortunately, when remote and connected with the VPN, I can only access some internal IP addresses. For example, I can ping and RDP into a server with an IP of 10.0.0.4, but I cannot ping or connect with RDP to the server at address 10.0.0.6.

I get the same behavior on my Android tablet and my Windows laptop. I've tried it from several remote networks including Wifi networks at a business, using a hotspot from my phone, and from using the LTE cellular connection in the tablet.

When connected to my home network via Wifi or ethernet, it works just fine. So it's not a server problem. I have about 10 hosts in my network and it seems like I can only connect to one of them when remote using the VPN.

 

[MaplewoodGeek]

I was digging around and found a difference between the servers I can connect to and the ones I cannot. The ones I can connect to use the default gateway as the router that hosts the VPN connection. The other servers have a different default gateway. I'm wondering if I can use some static routes to send traffic to an IP addresses assigned by the VPN connection to a different gateway.

 

[MaplewoodGeek]

I was able to make things work with persistent static routes on all the servers that use a different default gateway.

One thing to note is the VPN on the router was assigning IPs in the range 10.10.10.x even though I had changed the advanced settings to use the network 192.168.0.x and rebooted the routed and reconnected the clients.

I ran this command from an administrative command prompt on all the servers with a default gateway that was not my Asus router.

route -p add 10.10.10.0 mask 255.255.255.0 10.0.0.10

So any packets for the 10.10.10.x IPs (those assigned by the VPN server on the router) would go to the LAN address (10.0.0.10) of my Asus router that is running the IPSec VPN.

 

[slrt]

There are generally two options for routing with IPsec: static routes (which you used) and BGP. It doesn't magically work. In any case, ASUSWRT doesn't support BGP, and for such a tiny network static routes is the best option anyway.

Side note: For production high availability setups like GCP HA-VPN, BGP is a must, as the it is used to diverge the traffic from one tunnel to another upon failure.