VPN Error Codes
Hi, Just purchased a TL-ER6020 and looking to connect to an IPSEC VPN, does anyone know where to find a list of the error code menaings from the system log?
Currently getting error=14 on IKE negotiation.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Dear @Eddieb68,
Is the ER6020 router behind NAT? What' the remote router?Could you draw a network topology here?
The log info doesn't mean anything, please provide the screenshots of the VPN settings for troubleshooting.
Before that, you may also check if this VPN Configuration Guide helps.
- Copy Link
- Report Inappropriate Content
@Fae Thank you for getting back to me.
The Firewall is not behind a NAT, we are trying to create a direct Lan to Lan VPN connection with the head office similar to the diagram below.
I have been selecting differnet proposal settings for phase 1 and now have WAN1: Phase 1 of IKE negotiation succeeded using the settings below.
I am trying to find out what the conneting end device is but I am now failing to connect Phase 2 with errors 9, 14 or 18 depending on the proposal option I select, it is set to tunnel mode.
I will rewiewing the guide you sent.
Thanks
Eddie
- Copy Link
- Report Inappropriate Content
@Fae I meant to include this, is what I was sent for far end configuration.
- Copy Link
- Report Inappropriate Content
I meant to include this, is what I was sent for far end configuration.
Based on the current info and screenshot for far end configuration, please modify the Phase-2 Settings on the ER6020 router as the parameters below.
If you cannot get the VPN tunnel up, please provide the model number of the far-end router, and attach the system log for analysis. Thank you.
- Copy Link
- Report Inappropriate Content
@Fae Thanks again, with this option it fails with error=9.
Looking at the far end screenshots it will be a Palo Alto device, I will ask for a model again and see if they can check their logs, i am not sure they will pass them to me.
- Copy Link
- Report Inappropriate Content
@Fae It is a Palo Alto 3260.
The error below, I don't think we have a proxy ID so must be the proposals, i have tried all combinations. Does the error 9 actually mean anything to you?
'IKE phase-2 negotiation is failed as initiator, quick mode. Failed SA: xx.xx.x.x[500]-xxx.xx.xxx.xx[500] message id:0x1EF2E215.'
Here is the suggestion, could you please Proxy ID Settings at your side?
Resolution
To resolve Proxy ID mismatch, please try the following:
1. Check the Proxy ID settings on the Palo Alto Networks firewall and the firewall on the other side.
Note: Proxy ID for other firewall vendors may be referred to as the Access List or Access Control List (ACL).
2. Also, check the IPSec crypto to ensure that the proposals match on both sides.
Thanks
Eddie
- Copy Link
- Report Inappropriate Content
Dear @Eddieb68,
We need to check the complete IPSec settings, ensure that the proposals match on both sides.
1. IKE (Internet Key Exchange) is aimed at negotiating IPsec parameters automatically in the negotiation process. TP-Link VPN routers all use IKEv1. From the datasheet, the Palo Alto 3260 supports both IKEv1 and IKEv2, please make sure the Key exchange is set as IKEv1, and confirm the pre-shared key is the same on both sides.
2. The Phase-1 Settings section on the TP-Link VPN router is to configure the IKE phase-1 parameters.
Based on the settings posted on floor #3, in Proposal, sha1-3des-dh2 refers to Authentication - Encryption - DH Group, please confirm it is set the same on the Alto 3260. For Local/Remote ID Type, NAME refers to FQDN, since you select IP Address, ensure the IKE negotiation is set as IP address on Alto 3260. Besides, set the same SA Lifetime on both routers.
3. The Phase-2 Settings section on the TP-Link VPN router is to configure the IKE phase-2 parameters.
Refer to the settings I provided on floor #5, in Proposal, esp-sha1-3des refers to Protocol - Authentication - Encryption, please confirm it is set the same on the Alto 3260, set the same SA Lifetime on both routers.
4. On the ER6020 router, you can change Exchange Mode to Aggressive Mode to have a try.
Hope this information is helpful. Best regards.
- Copy Link
- Report Inappropriate Content
@Fae Thank you for the detailed reply, i will work my way through the options.
As phase 1 is successful would that suggest that the PSK's do match on both sides?
Thanks
Eddie
- Copy Link
- Report Inappropriate Content
Dear @Eddieb68,
As phase 1 is successful would that suggest that the PSK's do match on both sides?
Just in case, it's better to have a check.
I'm wondering if you have resolved the problem finally?
If you still cannot get the VPN established successfully, try updating the firmware of the ER6020 router and see if it helps.
https://www.tp-link.com/support/download/tl-er6020/#Firmware
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 7363
Replies: 9
Voters 0
No one has voted for it yet.