[SOLVED] Firmware bug + OpenVPN issue with site to site

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

[SOLVED] Firmware bug + OpenVPN issue with site to site

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
[SOLVED] Firmware bug + OpenVPN issue with site to site
[SOLVED] Firmware bug + OpenVPN issue with site to site
2023-05-17 17:36:18 - last edited 2023-08-14 10:15:29
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.3

Hi all!

 

I come back to communauty and support!

 

My config:

I have 2 ER7206 (same model)

LAN1 <-> Main site A [ER7206] <- internet -> remote site B [ER7206]  <-> LAN2

Site A is an entry point for users with OpenVPN and admin (PPTP for my old Win7 or L2TP for W10 access)

Users connect to site using OpenVPN client (Win or Android) and can access the whole network (LAN1 and LAN2).

 

I had to update client conf in order to add route for LAN2 (the default client file is not enough)

=> On previous firmware, everything is OK

 

I have upgraded the firmware today from ER7206(UN)_V1_1.2.0 Build 20220117 to ER7206(UN)_V1_1.2.3 Build 20221104 and finally to ER7206(UN)_V1_1.3.0 Build 20230322

 

The good think of this firmware is that the bandwith between LAN1 and LAN2 has been improved : On a fiber link 1G/500M, I have measured a badnwith of 200Mbits and a good latency (<5ms) between the 2 sites (they are in the same city)

 

I have encoutered the same bugs with the 2 last firmwares!

 

How to reproduce bug 1?

- Site A or B: setup a L2TP access and enable it

- setup a site-to-site using IPSec between Site A and Site B (what ever the IP)

=> Log: WAN: Phase 2 of IKE negotiation failed Error=18

- disbale L2TP access and site-to-site is established within the minute. You can enable it after, connection is not broken. But in case of power outage, we can let others VPN enabled. It is not good.

Another user encountered the same See here

=> It was working with the previous firmware. I think it is a bug.

 

 

How to reproduce bug 2?

The second issue is related to OpenVPN a kind of the last issue See here

- setup a site-to-site using IPSec between Site A and Site B (what ever the IP)

- setup an OpenVPN access on Site A

- connect remotely using OpenVPN to Site A: try to ping GW @ Site B : nothing!

The ping is OK if connected by PPTP or L2TP

 

With the previous firmware, OpenVPN client need to have a additionnal route to access the other part of network, ie remote network.

For my case:

LAN1

But with the 2 last firmware, the OpenVPN client see only the local network attached to the access point, not the remote

 

                      OpenVPN client connection

                                     |

LAN1 <-> Main site A [ER7206] <- internet -> remote site B [ER7206]  <-> LAN2

 

=> Client see LAN1 but not LAN2

A trace route shows that no answer is given by Site A (despite a dedicated route is set: I have set manually the route in order to validate) and route is sent to internet from client

 

Normally, OpenVPN client must be considered as connected on LAN1 and naturally see all the subnets (local, local routed or remote)

 

I tried using :

- IP in LAN1 subnet

- IP in classical 10.8.0.0/24

- other subnets

=> Always the same result: LAN1 is reachable, LAN2 is not reachable whatever the OpenVPN client Win / Android

=> The issue is in the new firmware!

 

Does anyone see the same?

Or do I miss something? And what?

If I can access directly to the routeur by CLI, doc is welcome !

 

Thanks for reading.

 

 

 

 

  0      
  0      
#1
Options
1 Accepted Solution
[SOLVED] Re:Firmware bug + OpenVPN issue with site to site-Solution
2023-08-14 10:14:14 - last edited 2023-08-15 01:11:57

Hi Team!

 

After an 1 hour debugging session, Parker found the issue!

 

Wen enabling L2TP + IPsec, IP sec was unable to synchronize ans establish site to site tunnel. The issue can be avoided by :

- setiing 1 site in responder mode (instead of having both in initiator, but it was working before)

- indentificating sites by a name (choose what you want site1, site2...) instead of IP on both routers

And just restart!

 

The documentation (1910012780_TL-R605&TL-ER7206(UN)1.0_UG.pdf) did not tell that but it is based on a former release. (p143-144). So, just set these settings and everything will be OK

 

Many thanks to the support team: kindness, availability and competence!

 

Regards

 

 

 

 

Recommended Solution
  1  
  1  
#12
Options
17 Reply
Re:Firmware bug + OpenVPN issue with site to site
2023-05-18 09:44:09

Hello @Didier31,

 

Thank you so much for taking the time to post the issue on TP-Link community!

 

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID230529714, please check your email box and ensure the support email is well received. Thanks!

Once the issue is addressed or resolved, welcome to update this topic thread with your solution to help others who may encounter the same issue as you did.

 

Many thanks for your great cooperation and patience!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-05-19 14:59:47

Hi Team,

 

Thanks for your attention!

 

Today, I notice something weird/new/strange. It is not a bug, but only an help for others users.

 

I set up a new VPN using L2TP on site B. Site A has already its L2TP VPN for administration purpose. It is working fine.

 

On site B, the new L2TP ask me :

  •  WA?
  •  Authentication type,
  •  Encryption,
  •  pre shared key
  • And new settings:Local network type with 2 exclusives choices
    • Network : then we have to select LANs (declared in LAN section): In this case, we can choose one or serveral declared LAN. In this case, remote lan is not reachable
    • Custom IP: then we can input manually several subnets. In this case, we can reach all desired networks.
  • Status

 

Until this change using custom IP, I was unable to reach Site A (remote site).Then it works fine

 

But in Site A, the existing L2TP VPN has no this settings, but is working fine, but we don't know the settings. It is strange. When you update the VPN, then it is mandatory the set the previous settings.

 

It is not a bug, just strange. I think a default choice is missing which is "all networks" (all locals and remote)

 

Thanks!

  0  
  0  
#3
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-05-26 07:03:56

Hello  @Didier31

 

Hope you are doing well.

Have you ever received the support email whose case ID is TKID230529714?

Or was your concern resolved on your own finally?

 

We are looking forward to hearing from you again.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#4
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-05-29 10:07:37

Hi Team,

 

I received feedback from the support team and I have tested the beta firmware. Thanks a lot!

@Hank21 : We are installing it today because it is an off day in France!

 

OpenVPN bug:

First I have installed firmware on 1 site only and test OpenVPN connection: it is OK. We see all the network.

Second I have installed firmware on the 2 sites and test OpenVPN connection: it is OK. We see all the network.

 

Just for others: the configured LAN in OpenVPN must include all the LAN you want to access. 

Example:

LAN 1 : 192.168.10.0/24

LAN 2 : 192.168.11.0/24

OpenVPN LAN : 192.168.10.0/23

OpenVPN client remotely connected to LAN1 see LAN2 and vice versa.

 

For me it is OK.

 

IP sec site-to-site with L2TP active:

This correspond to the case with a site-to-site connection using IP sec.

It you enable L2TP while you are starting IP sec VPN, you get 

WAN: Phase 1 of IKE negotiation failed. (Peers=192.168.x.y<->x.y.z.t, Error=14)

WAN: Phase 2 of IKE negotiation failed. (Peers=192.168.x.y<->x.y.z.t Error=14)

WAN: Phase 2 of IKE negotiation failed. (Peers=192.168.x.y<->x.y.z.t, Error=18)

(several times

 

This issue is repeatable at will:

- enable L2TP on both sites

- disable/enable IPsec site-to-site

- see error in log

- then disable L2TP on both site

=> IPsec will succeed !

 

On some cases, disabling L2TP on 1 site only allow to synchronize and start site-to-site connection. Not clear.

But when disabling L2TP on both site, synchronization is OK at next try.  

 

This issue is not blocking as the OpenVPN.

 

Thank you for supporting me!

 

Waiting for the next correction.

 

Thanks for your reactivity and support. I think the community will  appreciate!

 

Regards.

  0  
  0  
#5
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-06-02 09:59:17 - last edited 2023-08-15 01:12:07

Hi All,

 

The 1.3.1 Beta firmware has been released to fix it, please follow the post link below for details.

ER7206 V1_1.3.1_Build 20230525 Beta Firmware For Trial (Released on May 30th, 2023)

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-06-04 11:29:01

Hi Team!

 

We just test new firmware ER7206v1_un_1.3.1_20230525(Beta).bin

 

But after upgrading to the new firmware, which is longer that usual, the first connections are unsuccessful. 

We have to wait some very long minutes to connect after logging page is displayed. Is the routeur not still ready ? 

 

But after this extra wait, routeur is answering as expected.

 

My tests:

- OpenVPN client to site-to-site : everything is OK. OpenVPN client can access all configured networks

- IPsec site-to-site connection is OK even PPTP VPN is enabled or disabled on 1 or both sites

- IPsec site-to-site connection is OK when L2TP is disabled on both sites

- IPsec site-to-site connection is KO when L2TP is enabled  on both sites

The errors are on 1 site

WAN: Phase 2 of IKE negotiation failed. (Peers=peerIP<->x.y.z.t, Error=18)

WAN: Phase 2 of IKE negotiation failed. (Peers=peerIP <->x.y.z.t, Error=14)

 

The errors are on other site

WAN: Phase 2 of IKE negotiation failed. (Peers=peerIP <->x.y.z.t, Error=14)

=> Not the same behaviour on both sites!

 

If you enable L2TP when IPsec is trying to connect, connection is impossible

You have to disable/enable IP sec on both sites and then IP sec connection is successfull.

 

The only working configurations are:

- L2TP disabled on both sites

- L2TP is enabled on 1 site only. IP sec connection is successfull after some tries, never at the first try. I remark some disconnection in IP sec. The connection is not stable.


=> Rollback to previous version

Same behaviour but connection is stable:

Site A L2TP enabled

Site B L2TP enabled => disable L2TP and restart IP Sec on site A (yes A): connection is successfull very quickly

 

I disable all L2TP for stability reason and come back to last firmware

 

Sorry for results!

 

Remark:

In log we still have when connecting from VPN client (whate ever the client OpenVPN, L2TP...)

169.254.11.22 logged into the web interface successfully.

But the IP is wrong

 

I hope to ear from you soon!

Thanks!

 

 

 

 

  0  
  0  
#7
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-08-04 20:08:54

  Hi Team,

 

No news since 2 months. New release soon?

 

Can you give some news?

 

Regards

  0  
  0  
#8
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-08-09 02:13:36

Hello @Didier31

 

Our support has received your email and the engineer Parker Hu has been trying to contact you via your registration email several times but failed with the message to it couldn't be delivered. We are not sure what happened, could you please check your firewall settings of your email, or provide another valid email address(By Messages) so that our engineer can continue to follow up with your case? Or you can just use another valid email address to contact us via TKID230529714.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#9
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-08-09 10:04:13

Hi   @Hank21 

 

Strange.

My mail is available. I have receive the notification !

 

So, some news?

(resend me mail if possible).

Regards

  0  
  0  
#10
Options
Re:Firmware bug + OpenVPN issue with site to site
2023-08-10 05:37:39

Hello @Didier31,

 

Our senior engineer has received your feedback on the issue via email, they will continue to follow up with your case.

If you have any additional information, please feel free to reply to the support email whose case ID is TKID230529714.

Many thanks for your cooperation and patience!

 

Thank you for your valued update on the case.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 1905

Replies: 17

Related Articles