Site to Site via IPSec

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Site to Site via IPSec

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Site to Site via IPSec
Site to Site via IPSec
2014-11-28 21:20:24 - last edited 2021-08-21 04:30:50
Region : Belgium

Model : TL-R600VPN

Hardware Version : V2

Firmware Version : latest

ISP :


Hello,

I trying to setup Site to Site VPN link with following config

1. TL-R600VPN router suppose to do basic routing to ISP and give DHCP to the client (it's done)
2. It suppose to establing IPSec IKE vpn link to Windows Server 2008 r2 SBS

Here I have a problem, since router makes phase 1 connection to the server (so I can see establishing connection under Windows Firewall with advanced security > Monitoring> Security Associations > Main Mode

Router fails on phase 2 i got following errors:

packet shorter than isakmp header size (5, 68, 28)
than he tries to initiate phase 2 one more time and I get next error message
unknown notify message, no phase2 handle found


Anyone tried to setup this router as a client which connecting to windows server 2008 r2 via IPSec?


Kind Regards,
Vladimir
  0      
  0      
#1
Options
10 Reply
Re:Site to Site via IPSec
2014-12-01 11:16:35 - last edited 2021-08-21 04:30:50
Please include network diagram or more details about all devices including NAT, port forwarding and firewall position.
Also what is your phase 2 parameters for your TL-R600VPN? (ex.pfs_group ?; lifetime time ? sec; encryption_algorithm ? ; authentication_algorithm ?; compression_algorithm ?)
More information is always better when troubleshooting.
  0  
  0  
#2
Options
Re:Site to Site via IPSec
2014-12-01 18:12:26 - last edited 2021-08-21 04:30:50
ok

Site A


Internet > Modem > VPN Router > Clients

Clients can access Internet without any issues


Config of VPN Router:



Errors
  0  
  0  
#3
Options
Re:Site to Site via IPSec
2014-12-01 18:15:32 - last edited 2021-08-21 04:30:50
Site B

Internet > Modem > Router > LAN with Windows Server 2008 r2 (Server IP in DMZ)


Main Mode (I understand it's phase 1 according by TP link)

Quick Mode (Phase 2)

Connection status of Main Mode (Phase 1)


I hope it's now more clear


Anyone a suggestion?
  0  
  0  
#4
Options
Re:Site to Site via IPSec
2014-12-02 11:39:10 - last edited 2021-08-21 04:30:50
On the TL-R600VPN IPSec Policy Settings
Change PFS Group DH2 to Disabled/None and try your connection again.
  0  
  0  
#5
Options
Re:Site to Site via IPSec
2014-12-02 17:54:52 - last edited 2021-08-21 04:30:50
I tried as you suggested

getting this after configuration changed


any tried to connect this router via IPsec to windows server? :confused:
  0  
  0  
#6
Options
Re:Site to Site via IPSec
2014-12-03 13:03:17 - last edited 2021-08-21 04:30:50
It is possible that the phase 2 handler that is missing is a "compression_algorithm" parameter mismatch.
In the Linux IPSec daemon the compression used is "deflate" > TL-R600VPN
In the Windows IPsec daemon the compression used is "none" > Windows Server 2008

It would also explain the error messages, "packet shorter than isakmp header size" > It is probably shorter than expected because it was compressed at some point by the TL-R600VPN after the PHASE 1 negotiation completed. The above parameters are static and cannot be configured. This appears to be an incompatibility issue with the software. Only a relevant patch by the software developers can solve this incompatibility.
  0  
  0  
#7
Options
Re:Site to Site via IPSec
2014-12-03 17:26:41 - last edited 2021-08-21 04:30:50
right now i'm getting confused


check this out. In my VPN policy i find out that that PFS wasn't checked, if I do check it does says that DH2.

Moreover if I go to change DH2 i got this selection






Sorry for so many questions, I kinda new with IPSec.
  0  
  0  
#8
Options
Re:Site to Site via IPSec
2014-12-04 00:37:53 - last edited 2021-08-21 04:30:50
The two devices are incompatible as I described in my previous post.
Although, if you wish to enable PFS for the phase 2 negotiation. This cannot be done through the graphical user interface that you are using.
It can only be accomplished by command line.
Run command, netsh advfirewall consec add rule name=" the name you chose for your tunnel"
A print out will apear with all the parameters currently set for phase 2 negotiation for your tunnel.
You can specifiy qmpfs=dhgroup2 or mainmode

Like I pointed out earlier this will not solve the incompatibility issue between the Windows Server and the TL-R600VPN.
It will only configure your Windows Server for PFS setting DH Group 2.
  0  
  0  
#9
Options
Re:Site to Site via IPSec
2014-12-04 19:37:52 - last edited 2021-08-21 04:30:50
Kinda sad, since official TP-Link support said:

For your problem, maybe you can ask some suggestions from Microsoft support as they know windows server better. Sorry for that!
  0  
  0  
#10
Options
Re:Site to Site via IPSec
2014-12-05 14:40:14 - last edited 2021-08-21 04:30:50

vladimir.sirma wrote

Kinda sad, since official TP-Link support said:

For your problem, maybe you can ask some suggestions from Microsoft support as they know windows server better. Sorry for that!


You can contact TP-LINK why you feel sad when you are suggested to contact Microsoft...
Microsoft should be able to help on this issue...
  0  
  0  
#11
Options