Business Community > Controllers > L2TP - IPsec VPN omada ER605v2 not working
< Controllers

L2TP - IPsec VPN omada ER605v2 not working

L2TP - IPsec VPN omada ER605v2 not working

L2TP - IPsec VPN omada ER605v2 not working
L2TP - IPsec VPN omada ER605v2 not working
a week ago - last edited Tuesday
Tags: #VPN #Firmware Update #Controller
Model: OC200  
Hardware Version: V1
Firmware Version: 1.37.11

Hello guys, I have strange problem with my L2TP IPsec VPN server on my omada ER605 router.

 

I have Lab enviroment, where i hvae public IP(directly on ER WAN interface). Also have omada switch, AP and controller oc200v1. Few months ago, i set up my L2TP IPsec, everything was working fine. Yesterday i have done firmware upgrade on my router and controller and after that is VPN not working. I have 3 clients, everything Windows11, 24h2 and 25h2 and i cannot connect to this VPN.

 

On everyPC same error: connection attempt failed because of security encountered....event viewer error 789. I have tried many solutions, register editor change  attributes in IKE policy, miniWAN adapter deleting and so on. What is strange, i can connect from mobile hotspot, but not from my Home location where is Meraki MX firewall and my LAN network(behind public IP NAT). Outgoing connections are not blocking on Meraki Firewall, ports are opened and i can ping my public IP from my laptops(from home). Every laptop has the same error.....

Error in Omada logs are: WAN1: Phase 1 of IKE negotiation failed, No proposal chosen 14

 

PSK, VPN Parameters on clients must be fine, because i can connect from hotspot network.

 

It can be some windows update bug or TPlink bug, i shouldn't be linked with MX firewall in my opinion, because before it was working fine...

 

Thanks a lot for reply.

 

Juraj.

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:L2TP - IPsec VPN omada ER605v2 not working-Solution
Tuesday - last edited Tuesday

Hi  @Juraj22 

 

Thanks for posting here. The error message “WAN1: Phase 1 of IKE negotiation failed, No proposal chosen 14” indicates a mismatch between the security proposals offered by the VPN server (ER605 router) and the clients. Here are some suggestions for your reference:

1. Check IKE and IPsec Proposals on the Router

  • Router Configuration: Log in to the Omada ER605 router’s web-based management interface. Navigate to the VPN settings section related to L2TP/IPsec. Review the IKE and IPsec proposals (encryption algorithms, hash algorithms, etc.).
  • Client Configuration: On your Windows 11 clients, although the PSK and other basic parameters seem correct, the security proposals might have changed due to the Windows updates. You can try adjusting the proposals on the router to match the default or supported proposals for Windows 11. For example, Windows 11 usually supports IKEv2 with AES-256 encryption and SHA-256 hash.

2. Windows Firewall and Security Software

  • Windows Firewall: Make sure that the Windows Firewall on your laptops is not blocking the VPN traffic. You can temporarily disable the Windows Firewall (not recommended for long-term use) to test whether it is causing the problem. Go to “Control Panel” > “System and Security” > “Windows Defender Firewall”. Click “Turn Windows Defender Firewall on or off” and select “Turn off Windows Defender Firewall” for both private and public networks.
  • Third-Party Security Software: If you have any third-party antivirus or security software installed on your laptops, it might be blocking the VPN traffic. Temporarily turn off these programs, then try connecting to the VPN again.

3. Meraki MX Firewall Configuration

Although you think the Meraki MX firewall is not the cause, it’s still worth double-checking.

  • NAT Traversal: Ensure that the Meraki MX firewall has NAT traversal (NAT-T) enabled for IPsec traffic. L2TP/IPsec uses UDP ports 500 and 4500 for NAT-T. Make sure these ports are open for outgoing traffic.
  • Policy Review: Review the security policies on the Meraki MX firewall. There might be some new rules that are inadvertently blocking the VPN traffic. You can create a specific rule to allow all traffic related to the VPN server’s public IP address.

4. Re-Initialize the VPN Configuration

  • Router: On the Omada ER605 router, you can try to delete the existing L2TP/IPsec VPN configuration and then recreate it. Make sure to note down all the settings before deleting, and re-enter them accurately during the re-creation process. Or export a backup file.
  • Clients: On your Windows 11 laptops, delete the existing VPN connections and then recreate them. Enter the correct PSK, server address, and other parameters.

 

If none of the above helps, you may contact TP-Link support for further troubleshooting.

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#2
Options
2 Reply
Re:L2TP - IPsec VPN omada ER605v2 not working-Solution
Tuesday - last edited Tuesday

Hi  @Juraj22 

 

Thanks for posting here. The error message “WAN1: Phase 1 of IKE negotiation failed, No proposal chosen 14” indicates a mismatch between the security proposals offered by the VPN server (ER605 router) and the clients. Here are some suggestions for your reference:

1. Check IKE and IPsec Proposals on the Router

  • Router Configuration: Log in to the Omada ER605 router’s web-based management interface. Navigate to the VPN settings section related to L2TP/IPsec. Review the IKE and IPsec proposals (encryption algorithms, hash algorithms, etc.).
  • Client Configuration: On your Windows 11 clients, although the PSK and other basic parameters seem correct, the security proposals might have changed due to the Windows updates. You can try adjusting the proposals on the router to match the default or supported proposals for Windows 11. For example, Windows 11 usually supports IKEv2 with AES-256 encryption and SHA-256 hash.

2. Windows Firewall and Security Software

  • Windows Firewall: Make sure that the Windows Firewall on your laptops is not blocking the VPN traffic. You can temporarily disable the Windows Firewall (not recommended for long-term use) to test whether it is causing the problem. Go to “Control Panel” > “System and Security” > “Windows Defender Firewall”. Click “Turn Windows Defender Firewall on or off” and select “Turn off Windows Defender Firewall” for both private and public networks.
  • Third-Party Security Software: If you have any third-party antivirus or security software installed on your laptops, it might be blocking the VPN traffic. Temporarily turn off these programs, then try connecting to the VPN again.

3. Meraki MX Firewall Configuration

Although you think the Meraki MX firewall is not the cause, it’s still worth double-checking.

  • NAT Traversal: Ensure that the Meraki MX firewall has NAT traversal (NAT-T) enabled for IPsec traffic. L2TP/IPsec uses UDP ports 500 and 4500 for NAT-T. Make sure these ports are open for outgoing traffic.
  • Policy Review: Review the security policies on the Meraki MX firewall. There might be some new rules that are inadvertently blocking the VPN traffic. You can create a specific rule to allow all traffic related to the VPN server’s public IP address.

4. Re-Initialize the VPN Configuration

  • Router: On the Omada ER605 router, you can try to delete the existing L2TP/IPsec VPN configuration and then recreate it. Make sure to note down all the settings before deleting, and re-enter them accurately during the re-creation process. Or export a backup file.
  • Clients: On your Windows 11 laptops, delete the existing VPN connections and then recreate them. Enter the correct PSK, server address, and other parameters.

 

If none of the above helps, you may contact TP-Link support for further troubleshooting.

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#2
Options
Re:L2TP - IPsec VPN omada ER605v2 not working
Wednesday

  @Juraj22 

Hi! Please check if users login contains special characters - after update to v6 we had to switch from “surname.n” to “surname” in our case to make L2TP working again. Created a topic here with my workaround, maybe someone will find it helpful.

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 112

Replies: 2

Tags

VPN Firmware Update Controller
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.