ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2022-11-16 19:35:36 - last edited 2022-11-16 19:39:35
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.0.1

After recently upgrading to the latest version of Android, I have now been forced to use IPSec IKEv2.

 

I've tried setting this up via the Omada controller with an ER605 in accordance with this help page: https://www.tp-link.com/uk/support/faq/3447/ - however, the connection does not function when I enter Remote ID type. 

 

Instead, I've tried keeping both Local and Remote ID types to "IP address" - and the VPN successfully connects, however I cannot access either local resources or internet resources via the VPN.

 

So I can connect to the ER605 via the VPN, the Omada log shows a successful connection, my Android device shows "connected" with the VPN local IP address assigned as below - but I cannot access any websites or resources when connected.

 

Has this happened to anyone else? Or could TP Link support help with this please? 

 

My configuration is currently:

 

Omada:

 

Client-to-site VPN

VPN Server - IPSec

Remote Host - 0.0.0.0

Local Networks: VLAN40 (this has subnet 192.168.40.0)

Pre-Shared Key: [Password]

WAN: WAN

IP Pool: 192.168.40.10/32 (i.e. the VPN device always has 192.168.40.10 as its IP address).

 

Key Exchange: IKEv2

Proposal: Default

Negotiation Mode: Responder

Local ID Type: IP Address

Remote ID Type: IP Address

 

SA Lifetime: Default

DPD & Interval: Default

 

All Phase-2 settings: Default

 

Android Device

 

Type: IKEv2/ IPSec PSK

Server address: WAN address of ER605

IPSec identifier: WAN address of ER605 (note: the VPN does not connect if this is blank, but does connect when it is filled in, even without ID types set in Omada)

Pre-Shared Key: [Password]

  0      
  0      
#1
Options
10 Reply
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2022-11-17 12:13:09

  @andy1102 

 

It is recommended to change the subnet mask of the VPN IP pool to something smaller, like 27 or 24, as it is necessary to use the virtual IP when setting up a VPN, and limiting the IP pool to a specific IP may cause problems.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2022-11-17 12:28:30 - last edited 2022-11-17 13:06:49

  @Virgo 

 

Hi, thanks for the reply.

 

I've tried changing the subnet to 192.168.40.0/24 and a completely different subnet and I still have the same issues unfortunately.

 

My device does connect and have an IP address assigned fine, it's just the network connectivity isn't there.

 

I had a set up identical to this for the old LT2P server and it worked no issue, I didn't have to add any ACL, NAT or routing rules, just assigned the VPN a VLAN and an IP address and it worked fine.

  0  
  0  
#3
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2022-11-18 06:21:55

  @andy1102 

 

1. Was the VPN Tunnel established successfully?
2. Are all devices unable to remotely access within the LAN or only specific devices?
3. If you use this VPN Client to Ping to the LAN IP of the router, can it ping through?
4. It is recommended to check whether the device's firewall is restricting access to data. The Windows firewall will filter data from non-identical subnets by default, so you can turn off the firewall or set the VPN IP to the same network segment

Just striving to develop myself while helping others.
  0  
  0  
#4
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2022-11-18 14:04:17

  @Virgo 

 

Thanks for your continued assistance witn this!

 

1. Was the VPN Tunnel established successfully?

 

I believe so - my device obtained a VPN IP address I'd set in Omada which corresponded with the VLAN. I also had a Omada log saying the IPSec connection had been successfully established.

 

2. Are all devices unable to remotely access within the LAN or only specific devices?

 

I've tried only an Android device as Windows does not support IKEv2 IPSec PSK VPNs.

 

3. If you use this VPN Client to Ping to the LAN IP of the router, can it ping through?

 

It can't ping any devices or network addresses.

 

4. It is recommended to check whether the device's firewall is restricting access to data. The Windows firewall will filter data from non-identical subnets by default, so you can turn off the firewall or set the VPN IP to the same network segment

 

I have both the device and VPN on the same network segments. This worked fine with the L2TP server I'd set up previously.

  0  
  0  
#5
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2022-11-21 06:33:43

  @andy1102 

 

It does seem like a strange problem, try using the traceroute command to check where the VPN data is going.


Did you use the gateway in standalone or controller mode?

If standalone, going to VPN----L2TP----Tunnel list, here you can check whether the tunnel extablished successfully or not.

If controller, going to Insight-----VPN Status-----check the tunnel.

Just striving to develop myself while helping others.
  0  
  0  
#6
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2023-01-07 17:08:56

I'm having the exact same problem.  I can connect on my android phone with ikev2 to the er605 but can't access the internet through the vpn.  If I plug a computer into the Lan port of the er605 I can access the internet.  Were you able to come up with a solution for this? Thanks

  0  
  0  
#7
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2023-01-07 17:19:18

  @Reddogbr 

 

Nothing unfortunately, I used OpenVPN instead.

  0  
  0  
#8
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2023-01-08 15:39:39

I think there must be something wrong in the firmware.  Tech support tells me everything is fine and they won't respond back nor take my calls anymore.  I'll try openvpn.  Are you able to have  internet access through openvpn?  Thanks

  0  
  0  
#9
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2023-01-08 21:16:01

I have it in standalone.  Never tried the controller.  Thanks

  0  
  0  
#11
Options
Re:ER605 v2.0 IPSec/ IKEv2 Client-to-Site VPN not working on Android
2023-02-14 17:35:07 - last edited 2023-02-14 17:45:11

  @andy1102 

 

I'm having issue just getting as far as connecting, for remote host if I enter 0.0.0.0 to allow connection form any IP I get the following message 

"This IPsec VPN policy has the same IP addresses settings for peer routers on the VPN tunnel as the existing one, the Pre-Shared Key should be the same."

 

If I enter any specific IP address in remote host the I can apply and the settings are saved. 

 

 

  1  
  1  
#12
Options