IPsec site-to-site VPN fails to establish on two TL-R605/ER605

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

IPsec site-to-site VPN fails to establish on two TL-R605/ER605

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
IPsec site-to-site VPN fails to establish on two TL-R605/ER605
IPsec site-to-site VPN fails to establish on two TL-R605/ER605
2022-01-02 19:15:36
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.1.1 Build 20210723 Rel.64608

Hi folks, I'd appreciate some help here since I struggle to make any sense of what's happening.

I'm trying to set up site-to-site IPsec tunnel. The configuration is following: 

 

Router 1: ER605 v1, firmware 1.1.1 Build 20210723 Rel.64608, standalone (no Omada), static public IP

Router 2: TL-R605 v1, firmware 1.0.0. build 20200930 rel.36519, managed by local Omada controller, static public IP

 

On router 1 I configured IPSec policy, initiator mode, networks and IPs are properly set, pre-shared key identical as on other router.

On router 2 I configure Manual IPsec, initiator mode, IKE v1, all parameters same values as on router 1, except for remote network obviously

 

On router 1 system log shows occassionally:

WAN: IKE negotiation began in initiator mode. (Mode=Main Mode, Peers=xx.xx.xx.xx<->yy.yyy.yyy.yyy)

but no other IPSec related items, no errors whatsoever. VPN SA list is empty. 

 

On Omada (for router 2) controler logs there is zero entries related to VPN.

Insights->VPN Status->IPsec SA list is empty

 

I tried reversing initator/responder mode but to no effect. Is there any way to get more detailed logging for any of the routers here?

Routers are not behind NAT. For what it's worth, I'm able to connect to router 2 via OpenVPN from router 1 network and I'm able to traceroute from r1 to r2 so the connectivity seems to be working. Any ideas how to debug this? 

  0      
  0      
#1
Options
4 Reply
Re:IPsec site-to-site VPN fails to establish on two TL-R605/ER605
2022-01-03 06:41:17

@chris238432 

 

if both initiator, who will be the responder?

Not sure if that will fix the problem but router 2 needs to be responder.

  0  
  0  
#2
Options
Re:IPsec site-to-site VPN fails to establish on two TL-R605/ER605
2022-01-03 10:22:44

@cserv thanks for suggestions! I tried that already. I made R2 act as responder and then vice versa. None of that worked. It seems to me there is another issue at play and the lack of logging makes it impossible to debug.

  0  
  0  
#3
Options
Re:IPsec site-to-site VPN fails to establish on two TL-R605/ER605
2022-01-03 10:26:33

@chris238432 

 

Maybe u can share screenshot of your config.. i have successful vpn config between sites.

And the error in system logs as well pls. thanks

  0  
  0  
#4
Options
Re:IPsec site-to-site VPN fails to establish on two TL-R605/ER605
2022-01-04 08:12:31

@chris238432 

 

The firmware version of the router 2 is a little old. You can upgrade it to the latest v1.1.1 firstly.

Plus, below instructions for your reference:

https://www.tp-link.com/en/support/faq/2163/

 

https://www.tp-link.com/us/support/faq/3051/

 

  0  
  0  
#5
Options