Site-to-site IPsec tunnel not starting

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Site-to-site IPsec tunnel not starting

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Site-to-site IPsec tunnel not starting
Site-to-site IPsec tunnel not starting
2023-03-17 20:59:57 - last edited 2023-03-18 11:15:53
Hardware Version: V1
Firmware Version: 1.2.23

Team,

 

Just finished some testing with the beta versions being:

  • TL-ER7206 version: 1.2.3_20230224-rel60828_up_2023-02-24_16.54.59
  • TL-ER605 version: 1.2.3_20230224-rel61610_up_2023-02-24_17.08.23

And discovered that the site-to-site IPsec VPN tunnel between these 2 routers is not working.

Meaning the tunnel not even started.

 

I then reverted back to the previous stable version being:

  • TL-ER7206 version: 1.2.3 Build 20221104
  • TL-ER605 version: 1.2.1 Build 20220512

After that, the IPsec tunnel is working as expected.

 

Not sure if (and how) this effects the final release.

But just so you know.

 

 

With warm regards - Will

 

*** making it run like clockwork ***
  0      
  0      
#1
Options
2 Accepted Solutions
Re:Site-to-site IPsec tunnel not starting-Solution
2023-03-18 06:55:31 - last edited 2023-03-18 11:15:53

@shberge 

I don't understand what you are saying about buggy R7206-firmware and not supported with the R605... smiley

 

To make sure we are on the same page (see also my initial post):

The settings in my posted screenshot are working with *both* router models when using the latest stable firmware version.

When switching to the latest beta version for *both* router models the IPsec tunnel is not even starting. surprise 

 

See the initial post for the exact version numbers on each.

 

*** making it run like clockwork ***
Recommended Solution
  0  
  0  
#5
Options
Re:Site-to-site IPsec tunnel not starting-Solution
2023-03-18 07:44:18 - last edited 2023-03-18 11:15:57

  @ITV 

 

with the latest official release to ER7206 your settings not take effect, if you  configure SHA-256 it steel use SHA1, with the new beta release this settings take effect and use SHA-256 but this is not supportet in ER605v1 and because of that you dont get VPN to work, You have now a ER605v1 that use SHA1 and ER7206 use SHA-256. so to get it to work use SHA1 on both routers then your VPN will work.

 

the same thing with ER605v1 if you configure SHA-256 it steel use SHA1. if you look at VPN status you see that.

 

 

Recommended Solution
  3  
  3  
#6
Options
8 Reply
Re:Site-to-site IPsec tunnel not starting
2023-03-17 21:37:27

  @ITV 

 

I do a test, vpn site to site work whit no issue between my routers with this sotware
TL-ER7206 v1.0Firmware Version:1.2.3 Build 20230224 Rel.60828
TL-R605 v1.0Firmware Version:1.2.3 Build 20230224 Rel.61610

 

what encryption do you use?

 

I use deafult for vpn on this routers
Phase-1 Settings
SHA1 - AES256 - DH2
Phase-2 Settings
ESP - SHA1 - AES256

 

 

  1  
  1  
#2
Options
Re:Site-to-site IPsec tunnel not starting
2023-03-17 22:49:03 - last edited 2023-03-17 22:50:54

@shberge 

Thank you for the quick response.

See attached screenshot with all relevant settings.

Will give your settings a try later this weekend.

 

 

Cheers - Will

 

=====

 

*** making it run like clockwork ***
  0  
  0  
#3
Options
Re:Site-to-site IPsec tunnel not starting
2023-03-18 05:39:59 - last edited 2023-03-18 05:50:13

  @ITV Ok, I se whats the problem, Long storry but ER7206 have buggy software in the version you use now, SHA256 don't take effect, whit the beta this is fixed and then the router don't connect to ER605 because this router don't support SHA256, so upgrade to the latest beta on both.

 

change to SHA1 not use SHA256, ER605v1 don't support that. 

 

This setting will work

 

 

 

  1  
  1  
#4
Options
Re:Site-to-site IPsec tunnel not starting-Solution
2023-03-18 06:55:31 - last edited 2023-03-18 11:15:53

@shberge 

I don't understand what you are saying about buggy R7206-firmware and not supported with the R605... smiley

 

To make sure we are on the same page (see also my initial post):

The settings in my posted screenshot are working with *both* router models when using the latest stable firmware version.

When switching to the latest beta version for *both* router models the IPsec tunnel is not even starting. surprise 

 

See the initial post for the exact version numbers on each.

 

*** making it run like clockwork ***
Recommended Solution
  0  
  0  
#5
Options
Re:Site-to-site IPsec tunnel not starting-Solution
2023-03-18 07:44:18 - last edited 2023-03-18 11:15:57

  @ITV 

 

with the latest official release to ER7206 your settings not take effect, if you  configure SHA-256 it steel use SHA1, with the new beta release this settings take effect and use SHA-256 but this is not supportet in ER605v1 and because of that you dont get VPN to work, You have now a ER605v1 that use SHA1 and ER7206 use SHA-256. so to get it to work use SHA1 on both routers then your VPN will work.

 

the same thing with ER605v1 if you configure SHA-256 it steel use SHA1. if you look at VPN status you see that.

 

 

Recommended Solution
  3  
  3  
#6
Options
Re:Site-to-site IPsec tunnel not starting
2023-03-18 11:19:52 - last edited 2023-03-18 11:21:37

  @shberge 

Many thanks for the quick and to the point answers. And indeed - works as you mentioned.

 

To give the R605 some breathing room I now use "SHA1 - AES128 - DH2" on all sites; including the PFS parameter.

This balances security/encryption and device performance.

 

*** making it run like clockwork ***
  2  
  2  
#7
Options
Re:Site-to-site IPsec tunnel not starting
2023-03-18 11:50:23

  @ITV 

Yes, I agree, there isn't that much horsepower in these routers so it's a good match :-)

 

  0  
  0  
#8
Options
Re:Site-to-site IPsec tunnel not starting
2023-04-14 03:54:15

Hi All,

 

A newer 1.2.3 Beta firmware has been released for trial, please follow the post link below for details.
ER605 V1_1.2.3_Build 20230413 Beta For Trial (Released on Apr 14th, 2023)

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#9
Options