Site To Site Auto or Manual IPSec not working

Site To Site Auto or Manual IPSec not working

Site To Site Auto or Manual IPSec not working
Site To Site Auto or Manual IPSec not working
2024-05-23 16:48:39 - last edited 2024-05-24 00:59:49
Tags: #VPN
Hardware Version:
Firmware Version:

I have 1 ER7206 Routers.  We are connecting 2 branch offices by VPN with very fast/high bandwidth connections at each.

 

Each branch office will connect to 1 main ER7206.

 

Each router is connected to the internet both router being BT Smarthub 2 and provides connections to the LAN normally.

 

We are using the omada hardware controller linked to ER7206 and linked to the Omada Cloud.

 

The routers are also connected and adopted and configured with the following subnets.

 

Main Branch   192.168.1.0/24

Remote site    192.168.3.0/24

 

 

We created an Auto IPsec connection for "Remote Site" using the omada interface, checked the connection was auto-created on both ends.  No VPN Tunnels are active listed in the omada>insight>VPN Status menu. Even after we rebooted both routers.

 

We deleted the Auto IPSec entry and created a "Manual IPsec" VPN Tunnel. 

 

We specified the remote gateways for both ends using the public IP as we have one static one and other is dynamic on each end

 

The manual ipsec tunnel used the following settings for each end:

 

Site to site VPN

Manual IPsec

Status - Enable

Remote gateway - Public IP 

Remote Subnet - The subnet of each end i.e 192.168.0.1/24 - 192.168.3.0/24

Local Networks: all

Preshared Key: Same key on both ends.

WAN - WAN

 

Phase 1

 

Key Exchange Version - Have tried both IKEv1 and IKEv2

Proposal - SHA1-DES-DH5 on both

Negotiation Mode - Initiator on both

Negotiation Mode - When using IKEv1 we tried both Main and agressive on both

Local ID - Name: Each has unique ID or tried IP Adress

Remote ID - Name - Other ends ID that matches the Local ID or Set To IP Adress

SA Lifetime - 28800

DPD - Enable

DPD Interval - 10

 

Phase 2

 

Encasulation Mode: - Tunnel

Proposal - ESP-SHA1-AES256

PFS - None

SA Lifetime - 28800

 

not sure why it is not working but would love some advice on this?  also rebooted the 2 routers with no success.

  0      
  0      
#1
Options
24 Reply
Re:Site To Site Auto or Manual IPSec not working
2024-05-23 17:43:34 - last edited 2024-05-24 00:59:29

  @Stariaa 

 

setting up site to site vpn on a TP-Link router is quite simple, do you have a public ip right on the router WAN interface or is the router behind another router and has a private ip on WAN interface?

if you have a public ip on the TP-Link router's WAN interface, it should work.

 

I have never gotten auto ipsec to work so I always use manual ipsec configuration.

 

 

  1  
  1  
#2
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-23 17:48:20 - last edited 2024-05-24 00:59:30

  @Stariaa 

here is an example of one of my VPN tunnels, use the same settings on both routers

  0  
  0  
#3
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-23 21:35:31 - last edited 2024-05-24 00:59:30

  @MR.S Hi 

 

The Remote site shows a public IP on the WAN when I check via the omada controller but the Main site doesn't show. BT Router - - > Tplink router. 

 

I use port forwarding on the bt router for the following ports. 4500, 500 UFP and I setup a NAT on the Managed router in omada to point to the omada controller for the main site. 

  0  
  0  
#4
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 01:38:33

Hi @Stariaa 

Thanks for posting in our business forum.

Stariaa wrote

  @MR.S Hi 

 

The Remote site shows a public IP on the WAN when I check via the omada controller but the Main site doesn't show. BT Router - - > Tplink router. 

 

I use port forwarding on the bt router for the following ports. 4500, 500 UFP and I setup a NAT on the Managed router in omada to point to the omada controller for the main site. 

Is your BT router getting a public IP? Port forwarding is correct but this still requires your BT router WAN to be a public IP.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#5
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 07:06:36

  @Stariaa 

 

you should be able to set up site to site vpn with only one public ip, but then you must use a local ID on the site that does not have a public IP.

 

try setting up on the site without a fixed IP on WAN.
negotiation mode: initiator
local id type: name, site-a

 

 

on the site with fixed WAN IP 
negotiation mode: responder
remote id type: name, site-a

 

  0  
  0  
#6
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 08:14:25

Clive_A wrote

Hi @Stariaa 

Thanks for posting in our business forum.

Stariaa wrote

  @MR.S Hi 

 

The Remote site shows a public IP on the WAN when I check via the omada controller but the Main site doesn't show. BT Router - - > Tplink router. 

 

I use port forwarding on the bt router for the following ports. 4500, 500 UFP and I setup a NAT on the Managed router in omada to point to the omada controller for the main site. 

Is your BT router getting a public IP? Port forwarding is correct but this still requires your BT router WAN to be a public IP.

  @Clive_A Hi 

 

My BT Router is getting a Public IP the one on the Main Site displays the public IP when i check it. Both BT Routers get it however for some reason the WAN in the TP link only the Remote Site displays the public IP from the BT router but on the Main site it doesn't.

 

I have configured the portforwarding on the bother BT routers and TPlinks via the NAT to be sure. 

  0  
  0  
#7
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 08:31:57

  @MR.S Hi 

 

did the configuration on both site and made it same to yours, 

 

this image is from the remote site 

 

 

 

this is the main site

 

 

 

Still doesn't get a ping from the each other subnet, i have a vm on the remote site to test out ping to the main site but nothing is getting through, attempting to ping the default gateways of each other sites

  0  
  0  
#8
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 08:57:07

  @Stariaa 

 

Proposal is not the same.

and local id on one site same name on remote id on other site.

 

you cant use local id on both site.

 

 

in short, local id on site with no public ip 

and remote id on site with public ip

  1  
  1  
#9
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 09:21:25

Hi @Stariaa 

Thanks for posting in our business forum.

Stariaa wrote

  @MR.S Hi 

 

did the configuration on both site and made it same to yours, 

 

this image is from the remote site 

 

 

 

 

this is the main site

 

 

 

 

Still doesn't get a ping from the each other subnet, i have a vm on the remote site to test out ping to the main site but nothing is getting through, attempting to ping the default gateways of each other sites

Misconfiguration. If you have two sites, the local and remote ID should be configured differently. As for A, A's local ID means B's remote ID. Probably you should pay attention to the minor steps when you walk through the configuration guide.

MR.S is correct in the above reply.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#10
Options
Re:Site To Site Auto or Manual IPSec not working
2024-05-24 09:29:43

  @MR.S ok

 

this is on the remote site that the TP Link router displays the public IP

 

 

 

 

this is the one on the main site that doesn't diplay the Public IP on the tplink router WAN

 

 

 

I have also tried the usual local ID & Remote ID pointing to each other seen below

 

Remote Site

Remote ID: site-a

Local ID: site-b

 

Main Site

Remote ID: site-b

Local ID: site-a

 

 

still don't get a ping for some reason

  0  
  0  
#11
Options