Problem with Dead Peer Detection (DPD)
I'm in China and do Client-to-LAN connections (iPhone and Windows PC) to a ER707-M2 L2TP/IPsec server in Europe. I have to manually reconnect all the time, very annoying. Log says "DPD detection times out. IPsec connection was disconnected".
I can disable DPD in LAN-to-LAN mode but not in Client-to-LAN mode. Also have DPD as an option for IKEv2 but that works only for iPhone and not for Windows. Anyone know how I can disable DPD when in L2TP/IPsec Client-to-LAN mode?
I was a bit surprised to see Great Firewall didn't block VPN so I plan to buy TP-Link routers when I'm back in Europe and prepare a LAN-to-LAN connection. For the router in Europe I would like to have IGMP Proxy and IGMP Snooping as well. Archer BE230 has that but can two BE230 be set up as LAN-to-LAN with L2TP/IPsec? If not I assume I can use Omada ER706W but for IPTV it only has "IGMP v2/v3 Proxy, Custom Mode, Bridge Mode" so I'm not sure it will handle my IPTV subscription.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @HPF
Thanks for posting in our business forum.
Before answering the question, some facts about the GFW and the experiences we had with the users who pass through the GFW.
GFW will monitor every VPN connection. It will automatically adapt, learn and recognize the VPN if it is not allowed.
If you are connecting a server outside the GFW, it is likely to be blocked after some time. It'd work for some time but will be eventually terminated if it is not licensed by the government. Chinese government issues and authorizes the VPN connections and will not block them. Any person or organization should apply for an international connection. Especially the VPN usage.
We are not able to resolve this issue or masquerade the VPN tunnel as the pattern is obvious anyway. Even if you can connect now, it does not mean you will in the future. We are not able to provide any guarantee or suggestions for passing through the GFW. And we cannot guarantee the product will suit the VPN use case involving GFW as this product is not targeted at the Chinese market.
DPD seems to be a feature of your client. Not on the router(server) side.
- Copy Link
- Report Inappropriate Content
Hi @HPF
Thanks for posting in our business forum.
HPF wrote
@Clive_A BTW, one more thing. In LAN-to-LAN mode, L2TP over IPsec, is DPD enabled? If it is how will the routers reconnect?
I think it is enabled like the IPsec which is enabled by default. But this cannot be changed as the reason remains the same as the previous reply.
In L2TP, there is no initiator and responder configuration. But they use the IPsec as the encryption for the tunnel. So, some parameters would remain the same as the IPsec.
When you set both IPsec sites with the initiator, it'd work fine, too. So, it doesn't pose a problem. I believe both are initiators if they are in L2TP(over IPsec). When the SA time is reached, they'll reestablish or maintain the tunnel.
- Copy Link
- Report Inappropriate Content
Hi @HPF
Thanks for posting in our business forum.
Before answering the question, some facts about the GFW and the experiences we had with the users who pass through the GFW.
GFW will monitor every VPN connection. It will automatically adapt, learn and recognize the VPN if it is not allowed.
If you are connecting a server outside the GFW, it is likely to be blocked after some time. It'd work for some time but will be eventually terminated if it is not licensed by the government. Chinese government issues and authorizes the VPN connections and will not block them. Any person or organization should apply for an international connection. Especially the VPN usage.
We are not able to resolve this issue or masquerade the VPN tunnel as the pattern is obvious anyway. Even if you can connect now, it does not mean you will in the future. We are not able to provide any guarantee or suggestions for passing through the GFW. And we cannot guarantee the product will suit the VPN use case involving GFW as this product is not targeted at the Chinese market.
DPD seems to be a feature of your client. Not on the router(server) side.
- Copy Link
- Report Inappropriate Content
@Clive_A It will not disconnect as long as I work so I don't think it's GFW but DPD. iPhone will disconnect after maybe 5 minutes of inactivity. Windows PC takes longer, maybe as much as 15 minutes. The error log is on the server side in Europe. I do not get any alerts on client side (China).
Same problem here probably outside GFW.
https://community.tp-link.com/en/business/forum/topic/608624
- Copy Link
- Report Inappropriate Content
Hi @HPF
Thanks for posting in our business forum.
HPF wrote
@Clive_A It will not disconnect as long as I work so I don't think it's GFW but DPD. iPhone will disconnect after maybe 5 minutes of inactivity. Windows PC takes longer, maybe as much as 15 minutes. The error log is on the server side in Europe. I do not get any alerts on client side (China).
Same problem here probably outside GFW.
https://community.tp-link.com/en/business/forum/topic/608624
For the GFW, I am stating the disclaimer. If there is a further issue down the road, we are not able to provide help on the unknown disconnection. You won't be getting any logs or errors on the client side(inside China). It is either the server's no response, or the connection suddenly disconnects(due to the server's no response).
So is it IPsec or L2TP over IPsec?
You have this option if you are an IPsec server.
L2TP over IPsec, you don't have the option to configure any of the IPsec-related settings as they are preset.
- Copy Link
- Report Inappropriate Content
@HPF It's "L2TP over IPsec". I tried IPSec and configure IKE parameters but Windows PC wouldn't connect.
If I set up a LAN-to-LAN connection (Europe-China) using two Omada routers can I use "L2TP over IPsec" and if yes, will I still have the DPD problem? The L2TP over IPsec works really nice, it's fast and I don't share public IP with hundreds (if not thousands) of others.
- Copy Link
- Report Inappropriate Content
Hi @HPF
Thanks for posting in our business forum.
HPF wrote
@HPF It's "L2TP over IPsec". I tried IPSec and configure IKE parameters but Windows PC wouldn't connect.
If I set up a LAN-to-LAN connection (Europe-China) using two Omada routers can I use "L2TP over IPsec" and if yes, will I still have the DPD problem? The L2TP over IPsec works really nice, it's fast and I don't share public IP with hundreds (if not thousands) of others.
If you gonna set up the LAN-to-LAN, use the IPsec instead of the L2TP over IPsec.
DPD can be customized on the IPsec VPN and it is the best type to create a Site-to-Site.
As long as it is L2TP over IPsec, the IPsec-related settings are preset and cannot be modified.
- Copy Link
- Report Inappropriate Content
@HPF OK, I'll have to test if IPSec works. I was surprised to see L2TP/IPSec worked. Hope IPSec works just as well. Thanks for help.
- Copy Link
- Report Inappropriate Content
@Clive_A BTW, one more thing. In LAN-to-LAN mode, L2TP over IPsec, is DPD enabled? If it is how will the routers reconnect?
- Copy Link
- Report Inappropriate Content
Hi @HPF
Thanks for posting in our business forum.
HPF wrote
@Clive_A BTW, one more thing. In LAN-to-LAN mode, L2TP over IPsec, is DPD enabled? If it is how will the routers reconnect?
I think it is enabled like the IPsec which is enabled by default. But this cannot be changed as the reason remains the same as the previous reply.
In L2TP, there is no initiator and responder configuration. But they use the IPsec as the encryption for the tunnel. So, some parameters would remain the same as the IPsec.
When you set both IPsec sites with the initiator, it'd work fine, too. So, it doesn't pose a problem. I believe both are initiators if they are in L2TP(over IPsec). When the SA time is reached, they'll reestablish or maintain the tunnel.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 147
Replies: 8
Voters 0
No one has voted for it yet.