Knowledge Base Problem with IKEv2 for Site2Site VPN?
I'm having an issue with S2S VPN on this unit. I currently have this set up with a Meraki peer, via IKEv1.
Problem on the Meraki device, using IKEv1 it doesn't support using a FQDN (I'm using NO-IP) and I have to often change this manually for it to keep working.
IKEv2 supports FQDN on Meraki device.
So I've switched both sides to IKEv2 (and made NO OTHER changes) and the S2S VPN no longer connects. If I switch back both sides to IKEv1, we're back in business, the VPN connects as soon as I try to ping from the TP link to the Meraki device.
Is there a known issue here, or something additional that I need to change?
My setup is below.
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @words
Thanks for posting in our business forum.
Please set the PRF as the Authentication - SHA1. And give it another try. It is the configuration issue confirmed by the test team.
- Copy Link
- Report Inappropriate Content
Hi @words
Thanks for posting in our business forum.
I cannot rule out the possibility that this is a config issue if you don't paste the config of the other site.
I am not seeing problem notifications recently about the IKEv2.
- Copy Link
- Report Inappropriate Content
oops yes, I should have posted the Meraki side, here you are
Basically, I'm not changing any of these, just changing from IKE1 to IKE2 on both sides. Once I do this the VPN tunnel no longer connects.
- Copy Link
- Report Inappropriate Content
Hi @words
Thanks for posting in our business forum.
Port mirroring and Wireshark. Need to see the negotiation.
How to capture packets using Wireshark on SMB router or switch
- Copy Link
- Report Inappropriate Content
@Clive_A the thing is, it doesn't even try to connect, I check the log on both side when I switch to IKEv2 and nothing, no attempts made..
- Copy Link
- Report Inappropriate Content
Hi @words
Thanks for posting in our business forum.
For real? Did you verify this by Wireshark? If I don't have any details from you, just a single line about it, you said it does not work, I don't really have a clue or suggestion for you.
I cannot send a single line to the dev and ask them in this way. This is not proper and wasting their time.
Fact should be, regardless the compatibility or any other possible reasons, the IPsec should initiate anyway. Have you verified it it does not even send the very first IPsec packet?
- Copy Link
- Report Inappropriate Content
Hi @words
Thanks for posting in our business forum.
Please set the PRF as the Authentication - SHA1. And give it another try. It is the configuration issue confirmed by the test team.
- Copy Link
- Report Inappropriate Content
@Clive_A thank you, this fixed the issue.
Is this an error in the particular firmware I'm using or in general?
- Copy Link
- Report Inappropriate Content
Hi @words
Thanks for posting in our business forum.
words wrote
@Clive_A thank you, this fixed the issue.
Is this an error in the particular firmware I'm using or in general?
Omada shares the same concept in VPN configuration. So, it should be a generic problem with the Meraki. Not sure how Meraki system works but seems the test team Wireshark found out the Phase 1 did not get through. So, usually, it is a key exchange issue.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 811
Replies: 8
Voters 0
No one has voted for it yet.