DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Can't SSH or Ping Public Servers Over VPN
- sabreur
- Topic Author
- Offline
- New Member
- Posts: 6
- Thank yous received: 0
Originally, the LAN used L2TP with IPsec policy and I could SSH to the public servers from the branch offices but on upgrading to IPsec Tunnel I am unable to do this and must use the public addresses. The triangle topology was to provide an alternative route in the event of a failure. That is not possible now.
Is this a limitation of IPsec or is it a configuration issue?
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
- Posts: 1323
- Thank yous received: 0
Out of curiosity, why is swap from L2TP/IPSec to just IPSec seen as an 'upgrade' ?
Please Log in or Create an account to join the conversation.
- sabreur
- Topic Author
- Offline
- New Member
- Posts: 6
- Thank yous received: 0
I thought IPsec was better, maybe my ignorance is showing! Do you recommend changing back?
Traceroute
To public server's local ip:
1 7 ms 2 ms 4 ms router201 [192.168.20.1]
2 52 ms 49 ms 48 ms router101 [192.168.10.1]
3 * * * Request timed out.
4 * * * Request timed out.
To any other machine:
1 2 ms 2 ms 2 ms router201 [192.168.20.1]
2 48 ms 49 ms 48 ms router101 [192.168.10.1]
3 51 ms 52 ms 51 ms lima101 [192.168.10.19]
Results are the same using hostname or ip.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
- Posts: 1323
- Thank yous received: 0
sabreur wrote:
I thought IPsec was better, maybe my ignorance is showing!
I can't find any definitive evidence on the web - either way - but I've always been of the opinion that an extra layer of authentication has got to help! . Doubtless, there's a performance overhead though.
Traceroute etc
I started to think about this - and realised such a topology is actually quite involved. I can think of lots of issues, gotchas and different ways of doing it - so maybe backtrack a bit...
You said it worked before, so did you just change the 'type' of VPN in an existing LAN-to-LAN profile, or did you set up a new ones? Could you have missed something - especially from the "more
Likewise, are you sure you've emulated whatever was on the TP-Link?
It strikes me, that for this to work properly, some kind of Routing topology information has to be exchanged between nodes (RIP/OSPF/BGP etc). See:
I don't think triangulation of a VPN necessarily gives you much practical
Also, who dials who? Do each of the three nodes initiate (dial-out) to the other two?
Please Log in or Create an account to join the conversation.
Copyright © 2025 DrayTek