Site To Site Auto or Manual IPSec not working
I have 1 ER7206 Routers. We are connecting 2 branch offices by VPN with very fast/high bandwidth connections at each.
Each branch office will connect to 1 main ER7206.
Each router is connected to the internet both router being BT Smarthub 2 and provides connections to the LAN normally.
We are using the omada hardware controller linked to ER7206 and linked to the Omada Cloud.
The routers are also connected and adopted and configured with the following subnets.
Main Branch 192.168.1.0/24
Remote site 192.168.3.0/24
We created an Auto IPsec connection for "Remote Site" using the omada interface, checked the connection was auto-created on both ends. No VPN Tunnels are active listed in the omada>insight>VPN Status menu. Even after we rebooted both routers.
We deleted the Auto IPSec entry and created a "Manual IPsec" VPN Tunnel.
We specified the remote gateways for both ends using the public IP as we have one static one and other is dynamic on each end
The manual ipsec tunnel used the following settings for each end:
Site to site VPN
Manual IPsec
Status - Enable
Remote gateway - Public IP
Remote Subnet - The subnet of each end i.e 192.168.0.1/24 - 192.168.3.0/24
Local Networks: all
Preshared Key: Same key on both ends.
WAN - WAN
Phase 1
Key Exchange Version - Have tried both IKEv1 and IKEv2
Proposal - SHA1-DES-DH5 on both
Negotiation Mode - Initiator on both
Negotiation Mode - When using IKEv1 we tried both Main and agressive on both
Local ID - Name: Each has unique ID or tried IP Adress
Remote ID - Name - Other ends ID that matches the Local ID or Set To IP Adress
SA Lifetime - 28800
DPD - Enable
DPD Interval - 10
Phase 2
Encasulation Mode: - Tunnel
Proposal - ESP-SHA1-AES256
PFS - None
SA Lifetime - 28800
not sure why it is not working but would love some advice on this? also rebooted the 2 routers with no success.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Change proposal to SHA-256 - AES256 - DH14 on both site, they have to match.
now you have SHA-256 - AES256 - DH14 and SHA-512 - AES256 - DH14 and that will not work
- Copy Link
- Report Inappropriate Content
The routers are also connected and adopted and configured with the following subnets.
Main Branch 192.168.1.0/24
Remote site 192.168.3.0/24
The BT Smart Hub routers will have a default LAN subnet of 192.168.1.0/24 , so unless you've changed them from the default, the Omada at the main branch will have a WAN IP (DHCP i assume from the Smart Hub) in the same subnet as its LAN. That's not going to work!
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@MR.S Hi
You can see below
Remote Site
Main Site
Another point for the NAT in the omada controller, should they be forwarded to the IP of the omada controller or the gateway?
I just changed the forwarding from the omada controller that is 192.168.1.137 to the default gateway
It's still not working after doing this
- Copy Link
- Report Inappropriate Content
Hi This has been changed Main Site BT Router Lan 192.168.0.1 TPLink Router: 192.168.1.1 Remote Site BT Router 192.168.4.0 TPLink Router: 192.168.3.1
Thanks for confirming.
Since your Omada routers are behind NAT, have you enabled the IPSEC ALG ? Its Transmission > NAT > ALG
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Do not use port NAT, delete all NAT, and try again
Yes, there's no need for any port forwarding on the 7206s, only on the BT SMart Hub s
@Stariaa However , I think you may be on a hiding to nothing with the Smart Hubs ..
Its not possible to post direct links to ther sites here but if you google 'bt smart hub 2 ipsec' , about the 3rd link down
is titled
BT Business Smart Hub 2 and DMZ'ing IPSec Traffic - Not working!
Take a read through it...
- Copy Link
- Report Inappropriate Content
I just configure same vpn.. folw this and it will work
This is site with WAN on router
and this is router bihind anoter router and have no piblic IP on WAN interface.
You dont need to do anything else to get this to work.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1777
Replies: 24
Voters 0
No one has voted for it yet.