VPN IPSEC IKEv2 on er605 v2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

VPN IPSEC IKEv2 on er605 v2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
20 Reply
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-30 12:06:42

  @Clive_A the result is the same, nothing changes

  0  
  0  
#12
Options
Re:VPN IPSEC IKEv2 on er605 v2-Solution
2023-12-01 01:18:28 - last edited 2023-12-01 01:24:37

Hi @PKD1 

Thanks for posting in our business forum.

PKD1 wrote

  @Clive_A the result is the same, nothing changes

OK.  Just got a confirmation that the Local ID type cannot be matched due to Android does not support the Remote ID type. When you put the ER605 behind the NAT, the Local ID type would be the IP address and this cannot be modified. This will make the authentication fail.

iOS supports changing Remote ID type and it does not happen to Apple products.

 

Temporary fix now: change it to bridge mode on your modem router. Don't DMZ or put the ER605 behind the NAT.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#13
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-12-02 21:33:13

  @PKD1 @Clive_A 
Hi guys,
Im having the same kind of scenario on my setup

ISP >> Router (pppoe to isp) [er605 v2] controlled by oc200

I have a succesful openvpn client to site acces to access my Lan & home servers from my pc, and know I'm trying to do so for my ios devices to acces my local cloud.

I followed this article aswell https://www.tp-link.com/en/support/faq/3447/ ,  and every time I try to connect via the vpn settings in Iphone (ios17) it just wont connect at all.

Thanks for any help 

 

  0  
  0  
#14
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-12-04 02:02:30

Hi @Destor 

Thanks for posting in our business forum.

Destor wrote

  @PKD1 @Clive_A 
Hi guys,
Im having the same kind of scenario on my setup

ISP >> Router (pppoe to isp) [er605 v2] controlled by oc200

I have a succesful openvpn client to site acces to access my Lan & home servers from my pc, and know I'm trying to do so for my ios devices to acces my local cloud.

I followed this article aswell https://www.tp-link.com/en/support/faq/3447/ ,  and every time I try to connect via the vpn settings in Iphone (ios17) it just wont connect at all.

Thanks for any help 

 

I need to confirm again is your network double-NATed?

Do you specify the ID in the config like the guide?

This might be an encryption issue you can consider changing/adding some encryption in Phase 1. Adding them does not affect the connection, the more type you have, the more chance that it can make a successful negotiation.

Or you can Wireshark like the OP and I need some further details than this.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#15
Options
Re:VPN IPSEC IKEv2 on er605 v2
2024-01-07 14:20:46

  @Clive_A 
Hi thanks for the reply and sorry for my late one.
**Disclaimer** I have an openvpn vpn server running on my router using user authentication - this is the method I connect with my computer remotely.
My network is as follows:

ISP --> wan into router (er605) -->(LAN) --> switch --> AP's

I dont have a second router/modem between my ISP and my omada router.

 

  0  
  0  
#16
Options
Re:VPN IPSEC IKEv2 on er605 v2
2024-01-08 01:12:18 - last edited 2024-01-08 01:12:56

Hi @Destor 

Thanks for posting in our business forum.

Destor wrote

  @Clive_A 
Hi thanks for the reply and sorry for my late one.
**Disclaimer** I have an openvpn vpn server running on my router using user authentication - this is the method I connect with my computer remotely.
My network is as follows:

ISP --> wan into router (er605) -->(LAN) --> switch --> AP's

I dont have a second router/modem between my ISP and my omada router.

 

What other information can you provide for me? I am not able to judge this issue and if you need, I can simply do a test or upload the video for you to show that it actually works. Please share the screenshots of your config. Words description actually means nothing to me. I cannot verify if your words are truthful as the facts. Mosaic your sensitive information and give all the related screenshots.

 

Your WAN information is also needed. Mosaic some parts but I still need to read your IP and tell if it is a public one.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#17
Options
Re:VPN IPSEC IKEv2 on er605 v2
2024-02-15 10:05:25

  @Clive_A 
Hi I'd love to share my info with you can we do it on a private chat?
I believe it's soley the encryption / propsal method in the settings.
 

  0  
  0  
#18
Options
Re:VPN IPSEC IKEv2 on er605 v2
2024-02-17 02:37:21 - last edited 2024-02-17 02:37:44

Hi @Destor 

Thanks for posting in our business forum.

Destor wrote

  @Clive_A 
Hi I'd love to share my info with you can we do it on a private chat?
I believe it's soley the encryption / propsal method in the settings.
 

Contact the technical support team for a private chat. I don't host a private conversation with the members of the forum.

Or share it publicly and mosaic the sensitive information.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#19
Options
Re:VPN IPSEC IKEv2 on er605 v2
2024-02-18 08:35:12

  @Clive_A 

Hi,
I have ran extensive checks on the ipsec vpn both on IOS 17 & Android 1.

The matrix of creating a proposal method and encryption protocol that match each other and the security requirements in mobile OS for an ipsec vpn (ikev2) without user authentication or certificate auth is very complex and seems quite in applicable as any configuration that I've tried prompted that the security is not admissible (aka connection not secured).

Thus I shifted to create a l2tp vpn server with user + shared secret/key authentication which now works amazingly well.

I think that TPLINK should supply a chart that outlines the encryption + proposal encryption that are supported in newer OS versions for all mobile devices as phone companies are opting out of "lower grade" / "less secure" encryption protocols.

Please note that it the omada controller software only one proposal / encryption method is available to choose not like the config guide.

screen capture shows ipsec vpn: (firmware version for er605v2 (2.2.3) omada controller firmware (5.12.9))

  0  
  0  
#20
Options
Re:VPN IPSEC IKEv2 on er605 v2
2024-02-18 09:31:47

Hi @Destor 

Thanks for posting in our business forum.

Destor wrote

  @Clive_A 

Hi,
I have ran extensive checks on the ipsec vpn both on IOS 17 & Android 1.

The matrix of creating a proposal method and encryption protocol that match each other and the security requirements in mobile OS for an ipsec vpn (ikev2) without user authentication or certificate auth is very complex and seems quite in applicable as any configuration that I've tried prompted that the security is not admissible (aka connection not secured).

Thus I shifted to create a l2tp vpn server with user + shared secret/key authentication which now works amazingly well.

I think that TPLINK should supply a chart that outlines the encryption + proposal encryption that are supported in newer OS versions for all mobile devices as phone companies are opting out of "lower grade" / "less secure" encryption protocols.

Please note that it the omada controller software only one proposal / encryption method is available to choose not like the config guide.

screen capture shows ipsec vpn: (firmware version for er605v2 (2.2.3) omada controller firmware (5.12.9))

 

About the third-party, it would be very convenient for you to search it with Google. We cannot list everything from every vendor.

https://developer.apple.com/documentation/devicemanagement/vpn/ikev2/ikesecurityassociationparameters

 

This information may not be possible to get from the support. As I found it in the developer docs.

 

One encryption method does not hurt anything. It'll try the available encryption methods.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#21
Options