Business Community > Routers > Problem with IKEv2 for Site2Site VPN?
< Routers

Knowledge Base Problem with IKEv2 for Site2Site VPN?

Knowledge Base Problem with IKEv2 for Site2Site VPN?

Knowledge BaseProblem with IKEv2 for Site2Site VPN?
Problem with IKEv2 for Site2Site VPN?
2023-11-08 02:24:34 - last edited 2023-11-16 00:48:35
Tags: #VPN #Highlighted Thread
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2 Build 20230210 Rel.62992

I'm having an issue with S2S VPN on this unit. I currently have this set up with a Meraki peer, via IKEv1.

Problem on the Meraki device, using IKEv1 it doesn't support using a FQDN (I'm using NO-IP) and I have to often change this manually for it to keep working.

IKEv2 supports FQDN on Meraki device.

 

So I've switched both sides to IKEv2 (and made NO OTHER changes) and the S2S VPN no longer connects. If I switch back both sides to IKEv1, we're back in business, the VPN connects as soon as I try to ping from the TP link to the Meraki device.

 

Is there a known issue here, or something additional that I need to change?

My setup is below.

 

Thanks

 

 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Problem with IKEv2 for Site2Site VPN?-Solution
2023-11-15 01:39:17 - last edited 2023-11-15 20:25:47

Hi @words 

Thanks for posting in our business forum.

Please set the PRF as the Authentication - SHA1. And give it another try. It is the configuration issue confirmed by the test team.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#7
Options
8 Reply
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-08 07:06:06

Hi @words 

Thanks for posting in our business forum.

I cannot rule out the possibility that this is a config issue if you don't paste the config of the other site.

I am not seeing problem notifications recently about the IKEv2.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#2
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-09 03:57:53

oops yes, I should have posted the Meraki side, here you are

 

Basically, I'm not changing any of these, just changing from IKE1 to IKE2 on both sides. Once I do this the VPN tunnel no longer connects.

 

  0  
  0  
#3
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-09 09:02:40

Hi @words 

Thanks for posting in our business forum.

Port mirroring and Wireshark. Need to see the negotiation.

 

How to capture packets using Wireshark on SMB router or switch

How to Use Port Mirror to Capture Packets in the Controller

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#4
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-10 14:32:04

  @Clive_A the thing is, it doesn't even try to connect, I check the log on both side when I switch to IKEv2 and nothing, no attempts made..

  0  
  0  
#5
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-13 01:14:43

Hi @words 

Thanks for posting in our business forum.

For real? Did you verify this by Wireshark? If I don't have any details from you, just a single line about it, you said it does not work, I don't really have a clue or suggestion for you.

I cannot send a single line to the dev and ask them in this way. This is not proper and wasting their time.

 

Fact should be, regardless the compatibility or any other possible reasons, the IPsec should initiate anyway. Have you verified it it does not even send the very first IPsec packet?

 

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#6
Options
Re:Problem with IKEv2 for Site2Site VPN?-Solution
2023-11-15 01:39:17 - last edited 2023-11-15 20:25:47

Hi @words 

Thanks for posting in our business forum.

Please set the PRF as the Authentication - SHA1. And give it another try. It is the configuration issue confirmed by the test team.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#7
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-15 20:25:41

  @Clive_A thank you, this fixed the issue.

Is this an error in the particular firmware I'm using or in general?

  0  
  0  
#8
Options
Re:Problem with IKEv2 for Site2Site VPN?
2023-11-16 00:47:43

Hi @words 

Thanks for posting in our business forum.

words wrote

  @Clive_A thank you, this fixed the issue.

Is this an error in the particular firmware I'm using or in general?

Omada shares the same concept in VPN configuration. So, it should be a generic problem with the Meraki. Not sure how Meraki system works but seems the test team Wireshark found out the Phase 1 did not get through. So, usually, it is a key exchange issue.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#9
Options

Information

Helpful: 0

Views: 474

Replies: 8

Tags

VPN Highlighted Thread
Related Articles
VPN Ipsec IKE v2 PSK
99 0
Site2Site VPN
358 0
IPsec Site2Site - problem with SMB access
213 0
VPN IPSEC IKEv2 on er605 v2
1095 0
Site2Site VPN ER605 - Fritzbox
394 0
VPN and OSPF problems
378 0
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.