<
Routers
Site to Site via IPSec
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Site to Site via IPSec
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
2014-11-28 21:20:24 - last edited 2021-08-21 04:30:50
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Site to Site via IPSec
2014-11-28 21:20:24 - last edited 2021-08-21 04:30:50
Tags:
Region : Belgium
Model : TL-R600VPN
Hardware Version : V2
Firmware Version : latest
ISP :
Hello,
I trying to setup Site to Site VPN link with following config
1. TL-R600VPN router suppose to do basic routing to ISP and give DHCP to the client (it's done)
2. It suppose to establing IPSec IKE vpn link to Windows Server 2008 r2 SBS
Here I have a problem, since router makes phase 1 connection to the server (so I can see establishing connection under Windows Firewall with advanced security > Monitoring> Security Associations > Main Mode
Router fails on phase 2 i got following errors:
packet shorter than isakmp header size (5, 68, 28)
than he tries to initiate phase 2 one more time and I get next error message
unknown notify message, no phase2 handle found
Anyone tried to setup this router as a client which connecting to windows server 2008 r2 via IPSec?
Kind Regards,
Vladimir
Model : TL-R600VPN
Hardware Version : V2
Firmware Version : latest
ISP :
Hello,
I trying to setup Site to Site VPN link with following config
1. TL-R600VPN router suppose to do basic routing to ISP and give DHCP to the client (it's done)
2. It suppose to establing IPSec IKE vpn link to Windows Server 2008 r2 SBS
Here I have a problem, since router makes phase 1 connection to the server (so I can see establishing connection under Windows Firewall with advanced security > Monitoring> Security Associations > Main Mode
Router fails on phase 2 i got following errors:
packet shorter than isakmp header size (5, 68, 28)
than he tries to initiate phase 2 one more time and I get next error message
unknown notify message, no phase2 handle found
Anyone tried to setup this router as a client which connecting to windows server 2008 r2 via IPSec?
Kind Regards,
Vladimir
#1
Options
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thread Manage
Announcement Manage
10 Reply
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:Site to Site via IPSec
2014-12-01 11:16:35 - last edited 2021-08-21 04:30:50
Please include network diagram or more details about all devices including NAT, port forwarding and firewall position.
Also what is your phase 2 parameters for your TL-R600VPN? (ex.pfs_group ?; lifetime time ? sec; encryption_algorithm ? ; authentication_algorithm ?; compression_algorithm ?)
More information is always better when troubleshooting.
Also what is your phase 2 parameters for your TL-R600VPN? (ex.pfs_group ?; lifetime time ? sec; encryption_algorithm ? ; authentication_algorithm ?; compression_algorithm ?)
More information is always better when troubleshooting.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#2
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Re:Site to Site via IPSec
2014-12-01 18:12:26 - last edited 2021-08-21 04:30:50
ok
Site A
Internet > Modem > VPN Router > Clients
Clients can access Internet without any issues
Config of VPN Router:
Errors
Site A
Internet > Modem > VPN Router > Clients
Clients can access Internet without any issues
Config of VPN Router:
Errors
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#3
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Re:Site to Site via IPSec
2014-12-01 18:15:32 - last edited 2021-08-21 04:30:50
Site B
Internet > Modem > Router > LAN with Windows Server 2008 r2 (Server IP in DMZ)
Main Mode (I understand it's phase 1 according by TP link)
Quick Mode (Phase 2)
Connection status of Main Mode (Phase 1)
I hope it's now more clear
Anyone a suggestion?
Internet > Modem > Router > LAN with Windows Server 2008 r2 (Server IP in DMZ)
Main Mode (I understand it's phase 1 according by TP link)
Quick Mode (Phase 2)
Connection status of Main Mode (Phase 1)
I hope it's now more clear
Anyone a suggestion?
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#4
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:Site to Site via IPSec
2014-12-02 11:39:10 - last edited 2021-08-21 04:30:50
On the TL-R600VPN IPSec Policy Settings
Change PFS Group DH2 to Disabled/None and try your connection again.
Change PFS Group DH2 to Disabled/None and try your connection again.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#5
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Re:Site to Site via IPSec
2014-12-02 17:54:52 - last edited 2021-08-21 04:30:50
I tried as you suggested
getting this after configuration changed
any tried to connect this router via IPsec to windows server? :confused:
getting this after configuration changed
any tried to connect this router via IPsec to windows server? :confused:
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#6
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:Site to Site via IPSec
2014-12-03 13:03:17 - last edited 2021-08-21 04:30:50
It is possible that the phase 2 handler that is missing is a "compression_algorithm" parameter mismatch.
In the Linux IPSec daemon the compression used is "deflate" > TL-R600VPN
In the Windows IPsec daemon the compression used is "none" > Windows Server 2008
It would also explain the error messages, "packet shorter than isakmp header size" > It is probably shorter than expected because it was compressed at some point by the TL-R600VPN after the PHASE 1 negotiation completed. The above parameters are static and cannot be configured. This appears to be an incompatibility issue with the software. Only a relevant patch by the software developers can solve this incompatibility.
In the Linux IPSec daemon the compression used is "deflate" > TL-R600VPN
In the Windows IPsec daemon the compression used is "none" > Windows Server 2008
It would also explain the error messages, "packet shorter than isakmp header size" > It is probably shorter than expected because it was compressed at some point by the TL-R600VPN after the PHASE 1 negotiation completed. The above parameters are static and cannot be configured. This appears to be an incompatibility issue with the software. Only a relevant patch by the software developers can solve this incompatibility.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#7
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Re:Site to Site via IPSec
2014-12-03 17:26:41 - last edited 2021-08-21 04:30:50
right now i'm getting confused
check this out. In my VPN policy i find out that that PFS wasn't checked, if I do check it does says that DH2.
Moreover if I go to change DH2 i got this selection
Sorry for so many questions, I kinda new with IPSec.
check this out. In my VPN policy i find out that that PFS wasn't checked, if I do check it does says that DH2.
Moreover if I go to change DH2 i got this selection
Sorry for so many questions, I kinda new with IPSec.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#8
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 106
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2014-11-22
Re:Site to Site via IPSec
2014-12-04 00:37:53 - last edited 2021-08-21 04:30:50
The two devices are incompatible as I described in my previous post.
Although, if you wish to enable PFS for the phase 2 negotiation. This cannot be done through the graphical user interface that you are using.
It can only be accomplished by command line.
Run command, netsh advfirewall consec add rule name=" the name you chose for your tunnel"
A print out will apear with all the parameters currently set for phase 2 negotiation for your tunnel.
You can specifiy qmpfs=dhgroup2 or mainmode
Like I pointed out earlier this will not solve the incompatibility issue between the Windows Server and the TL-R600VPN.
It will only configure your Windows Server for PFS setting DH Group 2.
Although, if you wish to enable PFS for the phase 2 negotiation. This cannot be done through the graphical user interface that you are using.
It can only be accomplished by command line.
Run command, netsh advfirewall consec add rule name=" the name you chose for your tunnel"
A print out will apear with all the parameters currently set for phase 2 negotiation for your tunnel.
You can specifiy qmpfs=dhgroup2 or mainmode
Like I pointed out earlier this will not solve the incompatibility issue between the Windows Server and the TL-R600VPN.
It will only configure your Windows Server for PFS setting DH Group 2.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#9
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Re:Site to Site via IPSec
2014-12-04 19:37:52 - last edited 2021-08-21 04:30:50
Kinda sad, since official TP-Link support said:
For your problem, maybe you can ask some suggestions from Microsoft support as they know windows server better. Sorry for that!
For your problem, maybe you can ask some suggestions from Microsoft support as they know windows server better. Sorry for that!
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#10
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 926
Helpful: 19
Solutions: 1
Stories: 0
Registered: 2012-10-29
Re:Site to Site via IPSec
2014-12-05 14:40:14 - last edited 2021-08-21 04:30:50
vladimir.sirma wrote
Kinda sad, since official TP-Link support said:
For your problem, maybe you can ask some suggestions from Microsoft support as they know windows server better. Sorry for that!
You can contact TP-LINK why you feel sad when you are suggested to contact Microsoft...
Microsoft should be able to help on this issue...
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#11
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
2014-11-28 21:20:24 - last edited 2021-08-21 04:30:50
Posts: 6
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2014-11-28
Information
Helpful: 0
Views: 3396
Replies: 10
Voters 0
No one has voted for it yet.
Tags
Related Articles
Site to Site to Site
992
0
Site to site IPSec vpn
1094
5
PPTP Over Site to Site ipsec
1619
0
Report Inappropriate Content
Transfer Module
New message