IPsec Warning Phase 1 Of IKE Negotiation Failed Error 1
Suddenly a pair of TL-R600VPN's can't complete their IPsec connection. Site A has a static IP and is set as Initiator and has the correct IP address for Site B. Site B has a dynamic IP and is set as responder. Site B is producing the "Error 1" message. If I change Site A to responder and Site B to Initiator, then Site A will produce the Error 1 message. PSK are both correct, but have rewritten both and saved in case of corruption.
If I change the proposal on one side to something different (to test), the responder returns an Error 14. What does "Error 1" refer to? Is there a published list of error codes and their meaning?
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
How long did this VPN of yours work properly before?
If it was suddenly found not to work, how often does this problem occur?
Is your specific problem that the VPN tunnel is disconnected when this error is reported? Or the client can not access the other side?
Have you tried to re-create a same VPN to test it?
- Copy Link
- Report Inappropriate Content
It has been working for a year or two. I have another connection that is static to static IP and I don't believe that connection has went down like this before.
I may have fixed this, but not sure yet if it was a coincidence or not, but this problem IPsec connection is static to dynamic IP. On both sides, I was referring to a CNAME record address. I reconfigured both sides to use the A record address (results to same IP address) and negotiation was successful.
The dynamic DNS is provided by No-IP. Could the reference to the CNAME record actually be the problem? Maybe No-IP made a change recently to cause this?
- Copy Link
- Report Inappropriate Content
Any opinions or thoughts on this?
- Copy Link
- Report Inappropriate Content
@urbnsr i have same issue , I am using windows 10 and trying to connect to tl-600 vpn and its failing .Same error as yours.. Looks like something not working . No knowledge on how to trouble shoot it.
- Copy Link
- Report Inappropriate Content
@urbnsr Have you tried to configure the VPN with Local-ID and Remote-ID as Name (Advanced Settings of the VPN)?
IMHO the Side with the static Internet-IP must better be responder...
- Copy Link
- Report Inappropriate Content
@Micky_Roth Thank you for reply.
The way I have each LAN-To-LAN side setup is IP ID Type for static side and NAME ID Type for dynamic side. It was working this way, but recently stopped working until I changed dynamic side gateway and ID type from CNAME record to A name record. The connection has stayed up ever since I made this change. Are you suggesting that ID Type NAME be changed to a matching value which may be unrelated to dynamic side Domain Name?
I have experienced that Static side needs to be initiator. The reason I have found if static side is responder and IP address changed on dynamic side, the dynamic side attempts a new IPsec connection with an unknown IP address (unknown to the static IP side) and static side refuses to accept the connection. I am gathering the the static side does not perform a DNS lookup when it is set to responder. It sees the unknown IP address and tells it to "take a hike". When static side is initiator, it seems to request a DNS lookup first before actually initiating the IPsec connection.
If the IP address does not change, then I find that either side can be initiator and a connection request is successful. I just cannot control when the IP address may change.
Thanks again...
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Yes - I do use No-IP dynamic DNS service/server. I was using a CNAME config for this VPN connection. I was using CNAME to protect the main A record domain name. It was working with CNAME, but I wondered if No-IP made some kind of change, but the static side resolved the correct IP address for the dynamic side.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 4781
Replies: 8
Voters 0
No one has voted for it yet.