Home Network Community > Wi-Fi Routers > Cannot Complete Phase 2 IKE/IPSec VPN
< Wi-Fi Routers

Cannot Complete Phase 2 IKE/IPSec VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Cannot Complete Phase 2 IKE/IPSec VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Cannot Complete Phase 2 IKE/IPSec VPN
Cannot Complete Phase 2 IKE/IPSec VPN
2020-04-05 21:24:33 - last edited 2020-04-09 15:01:00
Model: Archer AX3000  
Hardware Version: V1
Firmware Version: 1.0.2 Build 20200303 rel.61469(5553)

I recently upgraded a Netgear WNDR4300 which was running "fine" (aside from slow).

 

Install of the AX3000 went smoothly and seems very fast, however I am unable to connet to my work IPSec VPN, which is a dealbreaker.

 

I have verified that IPSEC passthrough is enabled under : NAT Forwarding -> ALG

I am able to successfully pass Phase 1 and XAUTH.  

Phase 2 never completes.

 

The remote firewall does not need to be reconfigured.

I am using VPN Tracker 365 software on my mac.

 

 When I swap back to my WNDR4300 or plug my mac directly into my cable modem, I am able to successfully pass through all phases and connet the VPN without issue.

 

Only when the AC3000 is in the mix that Phase 2 never completes.

 

The PHASE 1 and XAUTH logs are very similar.  The beginning of PHASE 2 is also similar.  Below are the differences:

 

    Working Connection : 
            PHASE 2
            15:29:02    === Phase 2 exchange / initiator / receive 1 (321)
            15:29:02    Rewriting status 0006000F for SCP status 2
            15:29:02    Status rewritten to 0006000F for SCP connection

            15:29:02    Phase 2 in Progress

            (Status Messages and Tunnel is created)


    TP-Link : 
            PHASE 2
            15:23:05    === Phase 2 exchange / initiator / send 1 (153)

            15:23:05    NAT autodetect: 1 (273)
            15:23:05    Internal connection state is now: Connecting
            15:23:05    local ID: 0.0.0.0 (IPv4_subnet) (4078)
            15:23:05    remote ID: 192.168.1.0 (IPv4_subnet) (4132)
            15:23:05    add payload of len 48, next type: nonce (2138)
            15:23:05    add payload of len 16, next type: id (2138)
            15:23:05    add payload of len 12, next type: id (2138)
            15:23:05    add payload of len 12, next type: none (2138)
            15:23:05    phase 2, next type: hash (2059)
            15:23:05    add payload of len 32, next type: sa (2138)
            15:23:05    IKEResender: Added packet 13 (-> 8 [R]) to backlog.
            15:23:05    IKEResender: Will resend packet 13 (-> 8) in 1.000 seconds.
            15:23:05    Internal connection state is now: Connecting
            15:23:06    IKEResender: Resending packet 13 (-> 8)
            15:23:06    IKEResender: Will resend packet 13 (-> 8) in 2.000 seconds.
            (LOOPING until failure)
 

 

I'm not sure if it's the local id or the NAT that is the issue.

  0      
 
  0      
 
#1
Options
2 Reply
Re:Cannot Complete Phase 2 IKE/IPSec VPN
2020-04-05 21:33:51 - last edited 2020-04-09 15:01:00

@savante21 Well, I'm not actually sure what changed... I unchecked all the boxes under "NAT Forwarding -> ALG" and saved out the settings.

I then ran a connection check on my VPN software and it predictably failed (it was previously passing).

I then tried to connect to the VPN and could not get a Phase 1 initiated.

 

I then checked the box under "NAT Forwarding -> ALG" for Enable IPSec Passthrough and tried again, and finally I was able to get my VPN connected.

I then added back one check box at a time under "NAT Forwarding -> ALG" thinking there may have been a conflict, but every setting still allowed my VPN to function.

 

I'm not sure why i was unable to get this VPN connection completed for hours until disabling IPSec Passthrough and re-enabling it... but that seems to have fixed the issue.

 

  2  
  2  
#2
Options
Re:Cannot Complete Phase 2 IKE/IPSec VPN
2020-04-09 15:00:55

@savante21 While my previous solution had worked for a time. The problem reppeared and unfortunately following the same steps does not seem to fix the issue.

 

The response from the VPN Tracker support is as follows :

 

It look as if either no packages pass through anymore after Phase 2 was started; either they are lost on their way out to the VPN gateway or replies are lost on their way back in; that isn't distinguishable as all we can see in VPN Tracker is that we keep sending out packets and no replies are coming back all of a sudden.

What is a bit strange about this issue: For a router, Phase 2 packets are in no way special. Prior to this problem VPN Tracker has already sent packets with identical IP and UDP headers, these packets came through just fine and that even though they also were much bigger, so size cannot be an issue either. And as the packets are encrypted, the router cannot even know what their content is.

Could this be some security function? Can you try disabling all security related settings on the TP Link and see if that makes a difference? If it does, try re-enabling them one by one and see which option finally breaks the connection.

 

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 1271

Replies: 2

Related Articles
 AX 3000 V2 (AX 55) IPSec VPN w/iOS 16 built in VPN client
564 0
Archer 5400 Can't connect to my home server through VPN L2TP / IPSEC
1415 0
 My Surface won’t connect 2 wifi; Network uses security standard thats been phase out
702 1
 Archer C5400 - How do I enable IPSEC when connecting to VPN using L2TP?
2268 0
 Cannot connect to VPN server
225 0
 Does Phase Matter?
1931 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.