Business Community > Routers > Problem with IKEv2 for Site2Site VPN?
< Routers

Knowledge Base Problem with IKEv2 for Site2Site VPN?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Knowledge Base Problem with IKEv2 for Site2Site VPN?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Knowledge BaseProblem with IKEv2 for Site2Site VPN?
Problem with IKEv2 for Site2Site VPN?
2023-11-08 02:24:34 - last edited 2023-11-16 00:48:35
Tags: #VPN #Highlighted Thread
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20230210 Rel.62992

I'm having an issue with S2S VPN on this unit. I currently have this set up with a Meraki peer, via IKEv1.

Problem on the Meraki device, using IKEv1 it doesn't support using a FQDN (I'm using NO-IP) and I have to often change this manually for it to keep working.

IKEv2 supports FQDN on Meraki device.

 

So I've switched both sides to IKEv2 (and made NO OTHER changes) and the S2S VPN no longer connects. If I switch back both sides to IKEv1, we're back in business, the VPN connects as soon as I try to ping from the TP link to the Meraki device.

 

Is there a known issue here, or something additional that I need to change?

My setup is below.

 

Thanks

 

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Problem with IKEv2 for Site2Site VPN?-Solution
2023-11-15 01:39:17 - last edited 2023-11-15 20:25:47

Hi @words 

Thanks for posting in our business forum.

Please set the PRF as the Authentication - SHA1. And give it another try. It is the configuration issue confirmed by the test team.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#7
Options
8 Reply
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-08 07:06:06

Hi @words 

Thanks for posting in our business forum.

I cannot rule out the possibility that this is a config issue if you don't paste the config of the other site.

I am not seeing problem notifications recently about the IKEv2.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-09 03:57:53

oops yes, I should have posted the Meraki side, here you are

 

Basically, I'm not changing any of these, just changing from IKE1 to IKE2 on both sides. Once I do this the VPN tunnel no longer connects.

 

  0  
  0  
#3
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-09 09:02:40

Hi @words 

Thanks for posting in our business forum.

Port mirroring and Wireshark. Need to see the negotiation.

 

How to capture packets using Wireshark on SMB router or switch

How to Use Port Mirror to Capture Packets in the Controller

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-10 14:32:04

  @Clive_A the thing is, it doesn't even try to connect, I check the log on both side when I switch to IKEv2 and nothing, no attempts made..

  0  
  0  
#5
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-13 01:14:43

Hi @words 

Thanks for posting in our business forum.

For real? Did you verify this by Wireshark? If I don't have any details from you, just a single line about it, you said it does not work, I don't really have a clue or suggestion for you.

I cannot send a single line to the dev and ask them in this way. This is not proper and wasting their time.

 

Fact should be, regardless the compatibility or any other possible reasons, the IPsec should initiate anyway. Have you verified it it does not even send the very first IPsec packet?

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:Problem with IKEv2 for Site2Site VPN?-Solution
2023-11-15 01:39:17 - last edited 2023-11-15 20:25:47

Hi @words 

Thanks for posting in our business forum.

Please set the PRF as the Authentication - SHA1. And give it another try. It is the configuration issue confirmed by the test team.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#7
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-15 20:25:41

  @Clive_A thank you, this fixed the issue.

Is this an error in the particular firmware I'm using or in general?

  0  
  0  
#8
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-16 00:47:43

Hi @words 

Thanks for posting in our business forum.

words wrote

  @Clive_A thank you, this fixed the issue.

Is this an error in the particular firmware I'm using or in general?

Omada shares the same concept in VPN configuration. So, it should be a generic problem with the Meraki. Not sure how Meraki system works but seems the test team Wireshark found out the Phase 1 did not get through. So, usually, it is a key exchange issue.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#9
Options

Information

Helpful: 0

Views: 812

Replies: 8

Tags

VPN Highlighted Thread
Related Articles
Site2Site VPN
544 0
VPN IPSEC IKEv2 on er605 v2
2297 0
Site2Site VPN ER605 - Fritzbox
650 0
IPsec Site2Site - problem with SMB access
475 0
 VPN IPSec Site2Site without split tunnel
2500 1
 IPSec IKEv2 VPN with internet access
1056 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.