Business Community > Routers > 2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
< Routers

2 R600VPN won't re-establish tunnel after 28800 lifetime is up.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

2 R600VPN won't re-establish tunnel after 28800 lifetime is up.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-18 11:37:15 - last edited 2021-08-21 04:56:15
Region : UnitedStates

Model : TL-R600VPN

Hardware Version : V2

Firmware Version : 1.2.3 Build 140801 Rel.49374n

ISP : Secom Inc. and Comcast

I have a second home in the mountains that is a 3.5 hour drive from my primary residence. I have security cameras and other appliances at the mountain house that I want to access remotely. The small town ISP provides me with a fast broadband connection at the mountain house, but refuses to give me a static IP and won't open any ports to allow me to access my network remotely. So, I purchased two R600 VPN's on Amazon and followed the instructions to connect both routers using IPsec. It worked great and I drove back home. However, the following day I noticed that the tunnel was down. My two routers wouldn't reconnect after the 28800 IKE Lifetime expired. I am getting ready to make another drive to the mountain house and wanted to ask for help on what settings I can change to keep them both connected without issue. I can VNC to my home PC to configure that R600 router remotely. I cannot get into the mountain house R600 unless I am physically there since the ISP has all the ports blocked.

Here is what my log looks like now when I am trying to re-establish a connection. I can confirm that there is internet access to both routers. I am assuming I am going to have to disable and enable IPsec on the Mountain router to re-establish the tunnel since I can't get them to connect by resetting the router here. Once I do that I need to make sure they can reconnect on their own without me physically enabling/disabling the VPN on the mountain router. I saw one thread suggesting enabling DPD for a 20 second interval. Any ideas and thank you all in advance.


16 Jun 17 21:03:52 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
15 Jun 17 21:03:52 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
14 Jun 17 21:03:52 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
13 Jun 17 21:03:48 VPN ERROR phase2 negotiation failed due to time up waiting for phase1. ESP 208.123.153.130[0]->10.0.0.15[0]
12 Jun 17 21:03:48 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
11 Jun 17 21:03:48 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
10 Jun 17 21:03:48 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
9 Jun 17 21:03:47 VPN INFO ISAKMP-SA deleted 10.0.0.15[500]-208.123.153.130[500] spi:142a9915998adc76:0000000000000000
8 Jun 17 21:03:44 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
7 Jun 17 21:03:44 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
6 Jun 17 21:03:44 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
5 Jun 17 21:03:40 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
4 Jun 17 21:03:40 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
3 Jun 17 21:03:40 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
2 Jun 17 21:03:27 VPN INFO initiate new phase 1 negotiation: 10.0.0.15[500]<=>208.123.153.130[500]
1 Jun 17 21:03:25 VPN INFO IPsec enabled
  0      
 
  0      
 
#1
Options
6 Reply
Re:2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-19 15:55:16 - last edited 2021-08-21 04:56:15
I'm afraid that you need to login web interface of another R600VPN and check the system log.

I cannot get into the mountain house R600 unless I am physically there since the ISP has all the ports blocked.
How did you finger it out? Can you ping WAN IP of the router in mountain house at home?
  0  
  0  
#2
Options
Re:2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-19 16:35:46 - last edited 2021-08-21 04:56:15
Port scanner shows all blocked and the owner of my ISP confirmed to me that they block all ports for security. A ping results in a destination host unreachable.you can try as well - it's the 208 IP address in the log above. I know it's my wan ip because I have an appliance for my weather station that uploads info to a third party cloud site that also tells me the wan ip every 5 seconds. Address is http://www.wetmountains.us and as long as my weather station and camera are uploading then the internets working.
  0  
  0  
#3
Options
Re:2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-22 04:39:09 - last edited 2021-08-21 04:56:15

brgreenwood wrote

Port scanner shows all blocked and the owner of my ISP confirmed to me that they block all ports for security. A ping results in a destination host unreachable.you can try as well - it's the 208 IP address in the log above. I know it's my wan ip because I have an appliance for my weather station that uploads info to a third party cloud site that also tells me the wan ip every 5 seconds. Address is http://www.wetmountains.us and as long as my weather station and camera are uploading then the internets working.


What is the network diagram?
What is the ISP router at the mountain house?
What is the ISP router at other location?
  0  
  0  
#4
Options
Re:2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-22 13:04:59 - last edited 2021-08-21 04:56:15
Router A
ISP = Comcast
Network Diagram: Internet > Comcast Cablemodem > TP-LINK TL-R600VPN


Router B
ISP = http://www.dd-wireless.com/
Network Diagram: Internet > TP-LINK TL-R600VPN
The WAN IP for Router B is: 208.123.153.130. After some reasearch, I learned that the ISP owner's kid is hosting his own website at this same IP address. http://cadenzadesigns.com/

At the request of TP-LINK tech support, I changed the lifetime to 604800, and enabled DPD on both Router A and B and used 30 as the value.


Here are the logs. This is when the tunnel was down.


Router A:
16 Jun 17 21:03:52 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
15 Jun 17 21:03:52 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
14 Jun 17 21:03:52 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
13 Jun 17 21:03:48 VPN ERROR phase2 negotiation failed due to time up waiting for phase1. ESP 208.123.153.130[0]->10.0.0.15[0]
12 Jun 17 21:03:48 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
11 Jun 17 21:03:48 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
10 Jun 17 21:03:48 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
9 Jun 17 21:03:47 VPN INFO ISAKMP-SA deleted 10.0.0.15[500]-208.123.153.130[500] spi:142a9915998adc76:0000000000000000
8 Jun 17 21:03:44 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
7 Jun 17 21:03:44 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
6 Jun 17 21:03:44 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
5 Jun 17 21:03:40 VPN ERROR can't start the quick mode, there is no ISAKMP-SA, c81e86ce6365b5bd:b0820d66a451dfd6:00009a93
4 Jun 17 21:03:40 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
3 Jun 17 21:03:40 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
2 Jun 17 21:03:27 VPN INFO initiate new phase 1 negotiation: 10.0.0.15[500]<=>208.123.153.130[500]
1 Jun 17 21:03:25 VPN INFO IPsec enabled


Router B:
Jun 21 08:51:58 VPN ERROR 107.2.216.52 give up to get IPsec-SA due to time up to wait.
Jun 21 08:52:09 VPN INFO IPsec-SA expired: ESP/Tunnel 107.2.216.52[0]->10.10.10.50[0] spi=62492709(0x3b99025)
Jun 21 08:52:19 VPN INFO initiate new phase 2 negotiation: 10.10.10.50[4500]<=>107.2.216.52[4500]
Jun 21 08:52:19 VPN INFO NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jun 21 08:52:19 VPN ERROR none message must be encrypted
Jun 21 08:52:23 VPN ERROR none message must be encrypted
Jun 21 08:52:26 VPN ERROR none message must be encrypted
Jun 21 08:52:30 VPN ERROR none message must be encrypted
Jun 21 08:52:34 VPN ERROR none message must be encrypted
Jun 21 08:52:38 VPN ERROR 107.2.216.52 give up to get IPsec-SA due to time up to wait.
Jun 21 08:52:49 VPN INFO IPsec-SA expired: ESP/Tunnel 107.2.216.52[0]->10.10.10.50[0] spi=237962534(0xe2f0526)
Jun 21 08:52:59 VPN INFO initiate new phase 2 negotiation: 10.10.10.50[4500]<=>107.2.216.52[4500]
Jun 21 08:52:59 VPN INFO NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jun 21 08:52:59 VPN ERROR none message must be encrypted
Jun 21 08:53:03 VPN ERROR none message must be encrypted
Jun 21 08:53:06 VPN ERROR none message must be encrypted
Jun 21 08:53:10 VPN ERROR none message must be encrypted
Jun 21 08:53:14 VPN ERROR none message must be encrypted
Jun 21 08:53:18 VPN ERROR 107.2.216.52 give up to get IPsec-SA due to time up to wait.


Disabling and then Enabling IPsec on Router A did not solve the problem. Once I was able to Disable and then Enable IPsec on Router B, the tunnel came back up. Here are the logs when the tunnel came back up:


Router A:
Jun 21 09:42:54 VPN INFO IPsec enabled
Jun 21 09:42:56 VPN INFO initiate new phase 1 negotiation: 10.0.0.15[500]<=>208.123.153.130[500]
Jun 21 09:43:09 VPN INFO respond new phase 1 negotiation: 10.0.0.15[500]<=>208.123.153.130[399]
Jun 21 09:43:09 VPN INFO Selected NAT-T version: RFC 3947
Jun 21 09:43:09 VPN INFO isakmp_newcookie 2499 Get no bytes from random,try /dev/urandom.
Jun 21 09:43:09 VPN INFO isakmp_newcookie 2505 Get 16 bytes from urandom.
Jun 21 09:43:09 VPN INFO NAT detected: ME PEER
Jun 21 09:43:10 VPN INFO ISAKMP-SA established 10.0.0.15[4500]-208.123.153.130[4500] spi:cf9f8d31735890d7:7bf4e3e76a6c2544
Jun 21 09:43:11 VPN INFO respond new phase 2 negotiation: 10.0.0.15[4500]<=>208.123.153.130[4500]
Jun 21 09:43:11 VPN INFO IPsec-SA established: ESP/Tunnel 208.123.153.130[4500]->10.0.0.15[4500] spi=89888635(0x55b977b)
Jun 21 09:43:11 VPN INFO IPsec-SA established: ESP/Tunnel 10.0.0.15[4500]->208.123.153.130[4500] spi=162285816(0x9ac48f8)
Jun 21 09:43:16 VPN INFO ISAKMP-SA deleted 10.0.0.15[500]-208.123.153.130[500] spi:c24221581a0ffea0:0000000000000000
Jun 21 09:43:17 VPN ERROR phase2 negotiation failed due to time up waiting for phase1. ESP 208.123.153.130[4500]->10.0.0.15[4500]
Jun 21 09:46:39 DHCP NOTICE DHCPS:Recv REQUEST from 68:EE:96:C5:16:5A


Router B:
Jun 21 09:43:02 VPN INFO IPsec enabled
Jun 21 09:43:04 VPN INFO initiate new phase 1 negotiation: 10.10.10.50[500]<=>107.2.216.52[500]
Jun 21 09:43:04 VPN INFO Selected NAT-T version: RFC 3947
Jun 21 09:43:04 VPN INFO NAT detected: ME PEER
Jun 21 09:43:04 VPN INFO ISAKMP-SA established 10.10.10.50[4500]-107.2.216.52[4500] spi:cf9f8d31735890d7:7bf4e3e76a6c2544
Jun 21 09:43:05 VPN INFO initiate new phase 2 negotiation: 10.10.10.50[4500]<=>107.2.216.52[4500]
Jun 21 09:43:05 VPN INFO NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jun 21 09:43:06 VPN INFO IPsec-SA established: ESP/Tunnel 107.2.216.52[4500]->10.10.10.50[4500] spi=162285816(0x9ac48f8)
Jun 21 09:43:06 VPN INFO IPsec-SA established: ESP/Tunnel 10.10.10.50[4500]->107.2.216.52[4500] spi=89888635(0x55b977b)
Jun 21 09:44:43 DHCP NOTICE DHCPS:Recv REQUEST from D8:EB:97:CD:61:AC
Jun 21 09:44:43 DHCP NOTICE DHCPS:Send NAK
Jun 21 09:44:44 DHCP NOTICE DHCPS:Recv REQUEST from D8:EB:97:CD:61:5B
Jun 21 09:44:44 DHCP NOTICE DHCPS:Send NAK
Jun 21 09:44:46 DHCP NOTICE DHCPS:Recv DISCOVER from D8:EB:97:CD:61:AC
Jun 21 09:44:47 DHCP ERROR DHCPS:lease host name not found
Jun 21 09:44:47 DHCP NOTICE DHCPS:Send OFFER with ip 192.168.10.102
Jun 21 09:44:47 DHCP NOTICE DHCPS:Recv DISCOVER from D8:EB:97:CD:61:5B
Jun 21 09:44:48 DHCP ERROR DHCPS:lease host name not found
Jun 21 09:44:48 DHCP NOTICE DHCPS:Send OFFER with ip 192.168.10.104
Jun 21 09:44:48 DHCP NOTICE DHCPS:Recv REQUEST from D8:EB:97:CD:61:AC
Jun 21 09:44:48 DHCP NOTICE DHCPS:Send ACK to 192.168.10.102
Jun 21 09:44:48 DHCP NOTICE DHCPS:Recv REQUEST from D8:EB:97:CD:61:5B
Jun 21 09:44:48 DHCP NOTICE DHCPS:Send ACK to 192.168.10.104


The tunnel has been up all day and is curently still active. I will let you know if the tunnel is still connected when I get up in the morning.
  0  
  0  
#5
Options
Re:2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-22 21:01:29 - last edited 2021-08-21 04:56:15
The tunnel is still up. It did not go down overnight.
  0  
  0  
#6
Options
Re:2 R600VPN won't re-establish tunnel after 28800 lifetime is up.
2015-06-23 13:04:38 - last edited 2021-08-21 04:56:15

brgreenwood wrote

The tunnel is still up. It did not go down overnight.

If you have NAT between the two routers it's only a matter of time before the tunnel dies on IKE negotiation. You can send me a private message when it does.
  0  
  0  
#7
Options

Information

Helpful: 0

Views: 1638

Replies: 6

Related Articles
 TL-R600VPN + Workplace Tunnel ?
758 0
 TL-R600VPN PPTP Tunnel as WAN
1966 0
 TL-R600VPN IPSEC Tunnel routing
1159 0
 Establish a VPN between 2 Er6120 devices.
446 0
 TL-R600VPN IPsec Tunnel Extremely Slow
1273 0
 R600VPN - IPSEC VPN Tunnel - Internet access
1473 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.