TPG Community

david64 · ‎06-10-2022

@rje03 . I am interested in knowing the resolution. I haven't seen anyone else here using IPSec.

rje03 · ‎06-10-2022

I already have a VPN using TP-Link R600 router using IPSEC.
Aa long as the local subnet is not using the 10.X.X.X address range it's good.
My current VPN uses the 172.X.X.X, and it's fine.
It seems to be however cause I need to use the 10.X.X.X address range the 2nd part of the handshake of IPSEC is being routed to TPG's gateway instead of the intended VPN gateway I need to connect with.
Shaun

david64 · ‎06-10-2022

@rje03 . I don't have any facilities to experiment with vpn. I read the setup for ipsec in the TP-Link router manual. That should translate to the setup of computer software doing same thing.

Each end needs the wan ip address of the other end, the local subnet address and subnet mask, and the remote subnet address and subnet mask. Only restriction is that the two subnet addresses are different, eg. 10.0.1.0 and 10.0.2.0. This allows the ipsec software to distinguish between a local or remote address. Subnet mask is 255.255.255.0 on each side. You might be able to use a 25 bit subnet mask so your address ranges are 10.0.1.0-127 and 10.0.1.128-255.

When the ipsec software sends a message to the other end, it addresses the remote wan ip, the local router inserts its wan ip as the source ip. The payload contains the "10" address of the local device on the remote network.

All frames between each end should be using wan ip addresses (not gateway addresses) and port numbers representing the port of the ipsec endpoint.

rje03 · ‎07-10-2022

We cannot use this back end range because the company we are trying to connect too is already assigning and using this subnet.

That is the issue with below.

We need 10.217.0.0 which is curentky tied up by TPG.

In regards to the WAN IP that was option 2. We need to buy a /29 multiple public ips eithin the same range.

But this costs money and not sure if TPG would provide to your line.

Shaun

Shane · ‎07-10-2022

Hi Shaun,

Our Engineering Team confirmed that the service is not using a CGNAT.

The potential issue is that the port forwarding has not been setup correctly on the modem/router being used for the internet connection.

Regards,

Hi Support

Is my Static IP address behind the TPG CGNAT, or in front of it?

If it is behind the CGNAT can I get it placed on the outside?

Regards
Shaun

david64 · ‎07-10-2022

@rje03 . I'm only guessing with my comments here since I've never used any vpn. Nevertheless, I don't see how the default gateway "10" address is relevant to ipsec traffic. All traffic in external network is sent between the two wan ip addreses. Anything relating to local addresses is encapsulated.

If your local router had NAT disabled, it might send a frame with a source ip of the local address of the router or computer. "10" addresses aren't routable through internet.

Can devices on your local 10.217 network access the internet in the normal way, without a vpn?

Regarding whatismyip.com, did it show an ip address matching the wan ip of your router?

If you want to diagnose network packets further, you could obtain a smart switch that can do port mirroring, connected between the local router and NBN box, a computer with packet capture software. The switch is configured with a vlan that understands vlan id, if in fact your connection uses vlan id, and sends data on both ports of vlan to mirroring port.

If you want to hear from TPG, you might send another private message to the moderator.

rje03 · ‎07-10-2022

Hi Davd64

All good, I know your guessing. I have a network engineer here working on it. Believe me he's good.

Shaun

TPG Community

CGNAT on Public IP