Business Community > Controllers > Cannot create working Site-To-Site VPN Tunnel
< Controllers

Cannot create working Site-To-Site VPN Tunnel

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Cannot create working Site-To-Site VPN Tunnel

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Cannot create working Site-To-Site VPN Tunnel
Cannot create working Site-To-Site VPN Tunnel
2021-06-02 15:27:35 - last edited 2021-06-10 12:42:44
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.1.0

I have Five ER7206 Routers I am configuring for a client.  We are connecting 4 branch offices by VPN with very fast/high bandwidth connections at each.

 

Each branch office will connect to 1 main ER7206.

 

Each router is connected fine to the internet and provides connections to the LAN normally.

 

We are using the omada software controller on a PC connected to the main ER7206 and linked to the Omada Cloud.

 

The routers are also connected and adopted and configured with the following subnets.

 

Main Branch   192.168.0.1/24

Remote 1        192.168.10.1/24

Remote 2        192.168.20.1/24

Remote 3        192.168.30.1/24

Remote 4        192.168.40.1/24

 

We created an Auto VPN connection for "Remote 1" using the omada interface, checked the connection was auto-created on both ends.  No VPN Tunnels are active listed in the omada>insight>VPN Status menu. Even after we rebooted both routers.

 

We deleted the Auto VPN entry and created a "Manual IPsec" VPN Tunnel. 

 

We setup a Dynamic DNS service using noip.com for each router and we specified the remote gateways as its Dynamic DNS name on each end

 

The manual ipsec tunnel used the following settings for each end:

 

Site to site VPN

Manual IPsec

Status - Enable

Remote gateway - DynamicDNS Name of the oppsite Router

Remote Subnet - The subnet of each end i.e 192.168.0.0/24 - 192.168.10.0/24

Local Networks: all

Preshared Key: Same key on both ends.

WAN - WAN

 

Phase 1

 

Key Exchange Version - Have tried both IKEv1 and IKEv2

Proposal - SHA1-AES256-DH2 on both

Negotiation Mode - Initiator on both

Negotiation Mode - When using IKEv1 we tried both Main and agressive on both

Local ID - Name: Each has unique ID

Remote ID - Name - Other ends ID that matches the Local ID

SA Lifetime - 28800

DPD - Enable

DPD Interval - 10

 

Phase 2

 

Encasulation Mode: - Tunnel

Proposal - ESP-SHA1-AES256

PFS - None

SA Lifetime - 28800

 

Most of these settings are the default, what are we doing wrong?

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Cannot create working Site-To-Site VPN Tunnel-Solution
2021-06-09 19:25:11 - last edited 2021-06-10 12:42:44

So I downgraded the routers to FW ver 1.0.1 on 2 of the routers.  I rebooted them and reset to default afterwards.

 

I set them up with VPN settings the exact way i described in the first post.  They connected and made a functioning tunnel.  Yaay!

 

The only thing I did different this time was I did not disable the SFP WAN Port.  On all previous attempts I unchecked SFP WAN which makes the router reconfigure settings and reload.
 

I left that alone and it worked, could there be a bug where if the sfp wan is unchecked it causes VPN to fail?  I dont want to try it to find out but it seems odd.

 

So now I have only one issue, I cannot ping devices on the other subnet.  I can ping the router at the other end but not PC's.

 

Any thoughts?

 

Paul

 

 

Recommended Solution
  0  
  0  
#5
Options
6 Reply
Re:Cannot create working Site-To-Site VPN Tunnel
2021-06-02 20:00:33

@PaulFromLTS 

 

Update: I have removed the ER7206's from omada and am configuring them manually.  They are no longer connected to omada and are now in standalone mode.

 

I configured a pair of them the same as I always do with r600's and others.  Still No tunnel.  This is not my first time doing this same VPN setup. just not with this model.

 

I even did it the same as the site to site FAQ on tplinks site.  (using md5-des-dh1 in phase1 and esp-md5-des in phase2) No Luck

 

Does site to site ipsec VPN even work on these routers?   Anyone know? Anyone else tried this.

 

 

 

TIA

  0  
  0  
#2
Options
Re:Cannot create working Site-To-Site VPN Tunnel
2021-06-02 20:13:44

@PaulFromLTS 

 

So I have given up trying to get manual IPsec VPN setup.  I am thinking that the 1.1.0 firmware update may be the issue.  I am going to roll 2 of them back to 1.0.0 and see if it works.

 

I will post the results here.

 

Paul

  0  
  0  
#3
Options
Re:Cannot create working Site-To-Site VPN Tunnel
2021-06-03 08:36:51

Dear @PaulFromLTS,

 

PaulFromLTS wrote

So I have given up trying to get manual IPsec VPN setup.  I am thinking that the 1.1.0 firmware update may be the issue.  I am going to roll 2 of them back to 1.0.0 and see if it works.

 

As I know, the 1.1.0 firmware doesn't change anything for the VPN part.

 

To better assist you, I'd like to escalate your case to the TP-Link support team who could help you more efficiently.

 

They will reach you via your registered email address shortly, please pay attention to your email box later.

Once the issue is addressed or resolved, I'd encourage you to share it with the community.

Thank you so much for your cooperation and support! 

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:Cannot create working Site-To-Site VPN Tunnel-Solution
2021-06-09 19:25:11 - last edited 2021-06-10 12:42:44

So I downgraded the routers to FW ver 1.0.1 on 2 of the routers.  I rebooted them and reset to default afterwards.

 

I set them up with VPN settings the exact way i described in the first post.  They connected and made a functioning tunnel.  Yaay!

 

The only thing I did different this time was I did not disable the SFP WAN Port.  On all previous attempts I unchecked SFP WAN which makes the router reconfigure settings and reload.
 

I left that alone and it worked, could there be a bug where if the sfp wan is unchecked it causes VPN to fail?  I dont want to try it to find out but it seems odd.

 

So now I have only one issue, I cannot ping devices on the other subnet.  I can ping the router at the other end but not PC's.

 

Any thoughts?

 

Paul

 

 

Recommended Solution
  0  
  0  
#5
Options
Re:Cannot create working Site-To-Site VPN Tunnel
2021-06-09 20:10:39 - last edited 2021-06-09 20:26:41

@PaulFromLTS 

 

Yesss. Thank you. I have soo mutch truble with L2TP and PPTP connection, I have uset days to figure it out.

There is so mutch bug with TP-LINK router som day they work perfect som day they dont work at all. But I think this will be fixed (I Hope)

 

But I have a lot of ipsec vpn tunnels to Cisco, Unifi and TP-LINK on my ER7206 have about 30 tunnels. and it work queit well, but i want to use policy routing to route some ip out on another location so i starting to work with L2TP and PPTP and i only have truble. I hope this is gone now. 

 

I also se why it not work. SFP WAN is used on L2TP and PPTP even if there is no cable in the sfp port. I just enabled it.

 

 

 

So thank you for figure it out 

I have even ordered another router to test in standalone, but it gets to be spare router.

 

And about ping to remote computer, check computer firewall, create a firwall roule to allow remote lan ip net.

 

 

 

 

 

  0  
  0  
#6
Options
Re:Cannot create working Site-To-Site VPN Tunnel
2021-06-10 12:35:58 - last edited 2021-06-10 12:40:30

That is great that this worked for you also.  Thanks for verifying this.

 

As for pinging computers on another vpn connected subnet on the er7206, I can connect to shares and make remote desktop desktop connections to pc's on either end of the tunnel but cannot ping.

 

I setup 3 TP-Link R600VPN routers with the same settings and I can ping pc's on either end of the tunnel but not with the er7206. Would someone post the correct settings for the rule to allow traffic from subnet 192.168.0.0/24 <==> 192.168.20.0/24

 

Thanks in advance.

 

Paul

  0  
  0  
#7
Options

Information

Helpful: 0

Views: 3184

Replies: 6

Related Articles
Site-to-site IPsec tunnel not starting
882 0
ER7602 VPN Site-to-Site Azure
1346 0
 Wireguard site to site tunnel
431 0
Site to site VPN behind ISP modem
256 0
 how to create a site-to-site VPN
3271 0
Site to Site VPN with er7206 and OC200. Can not see From Main site the pcs from braches.
390 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.