Client-to-Site L2TP VPN fails between ER605 routers managed by OC200 Omada controller
Hi, I can set up the two ER605 v2.0 (2.3.0 Build 20250428 Rel.18967) routers via the Omada controller to connect via a Site-to-Site VPN, but this does not allow me to redirect all external network traffic from selected devices on one site to go via the VPN using Policy Routing. That feature seems only to be supported via a Client-to-Site VPN, so I need that instead.
PPTP is not secure enough for a Client-to-Site VPN. OpenVPN works for a PC client, but the ER605 implementation insists on a fixed IP address rather than Dynamic DNS.
I managed to get one ER605 to connect to the other with a Client-to-Site L2TP VPN *before* they were managed by the Omada controller, but since adoptions the connection fails with IKE negotiation NO_PROPOSAL_CHOSEN[14] errors. No visible options to adjust the settings. Any ideas?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Vincent-TP
I have now got everything working by updating the firmware for the Omada controller with the new release made since my posting: OC200(UN)_V1_1.36.7 Build 20250707.
Thanks again for your suggestions.
- Copy Link
- Report Inappropriate Content
Hi @CJO
Thanks for posting here.
This error typically occurs due to mismatched IKE/IPsec settings between the two routers. Please try the following:
-
Check Phase 1/Phase 2 Proposals:
- Ensure both routers use the same:
- IKE Version: (IKEv1 or IKEv2)
- Encryption Algorithm (e.g., AES-256)
- Hash Algorithm (e.g., SHA-256)
- DH Group (e.g., Group 14 or 5)
- PFS (Perfect Forward Secrecy) settings (if enabled).
- Ensure both routers use the same:
-
Pre-Shared Key (PSK):
- Confirm the PSK is identical on both routers (case-sensitive).
-
Local/Remote Identifiers:
- Some devices require explicit local/remote IDs (e.g., IP address or FQDN). Try setting these manually if possible.
B. Factory Reset & Manual Reconfiguration
- Temporarily remove the ER605 from the Omada controller and configure the L2TP/IPsec VPN standalone (via the router’s native UI).
- Re-adopt it into Omada after testing the VPN.
- Note: Omada may overwrite settings, so document your config first.
- Copy Link
- Report Inappropriate Content
Hi @Vincent-TP
Thanks for your suggestions...
-
Check Phase 1/Phase 2 Proposals:
- When managed, I don't seem to be able to adjust IKE/Encryption/Hash/DH/PFS for a Client-to-Site L2TP VPN. Am I missing something?
-
Pre-Shared Key (PSK):
- PSK is identical.
-
Local/Remote Identifiers:
- I have tried setting these manually, but it doesn't seem to fix the Phase 1 negotiation problems.
Next step is to see if I can get the "client" ER605 to connect again in standalone mode after a factory reset, when I may be offered more settings to adjust. This worked as a Client-to-Site VPN to the managed "site" ER605 before updating everything to the latest firmware, but I recall that may have been in PPTP mode, which isn't really secure enough as a long term solution. I now need to find a time when that ER605's LAN can be taken down for a while!
- Copy Link
- Report Inappropriate Content
Hi @Vincent-TP
I have now got everything working by updating the firmware for the Omada controller with the new release made since my posting: OC200(UN)_V1_1.36.7 Build 20250707.
Thanks again for your suggestions.
- Copy Link
- Report Inappropriate Content
Hi @CJO
Great to hear that the issue has been resolved! If you encounter any further problems or have additional questions, feel free to reach out.
- Copy Link
- Report Inappropriate Content
@Vincent-TP
I am having the exact same issue where I used to have a working L2TP connection between my two ER605's and for about a month now it has been flaky/not working a all.
My controller is already on the latest version and I still see the " Error=NO_PROPOSAL_CHOSEN[14]" logs at the client side. Is this a known issue with the controller or the routers?
- Copy Link
- Report Inappropriate Content
Hi @Perondas
Two IPSec options are working for me, with L2TP in a Client-to-Site VPN.
For Client-to-Site VPN with VPN Client - L2TP in NAT mode the IPSec is encrypted and the remote server's subnet is defined. Local Network Type is Network. At the server it's VPN Server - L2TP with encrypted IPsec, local authentication and Local Network Type as Network. The IP Address Range and DNS servers are defined. The VPN User account has its Local IP Address defined and works in Network Extension Mode with the client's Remote Subnet defined.
For Site-to-Site VPN with Manual IPSec (ie no IKE negotiation), remote gateway and remote subnet for each are defined, and under Advanced Settings it's IKEv2 with SHA1-AES256-DH2 in default settings other than PFS dh15. The Auto IPsec wouldn't work for me.
As another option, OpenVPN Client-to-Site seemed to be fine.
ER605s are currently on 2.3.0 and OC200 is on 1.36.7 Build 20250707 Rel.72474.
Hope that helps
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 631
Replies: 6
Voters 0
No one has voted for it yet.