@Jeremy_12 

Thank you for the replies. I am currently running both of these gateways as Controller Mode.

They are both joined on to the same Omada controller(OC300) in my network.

I have looked at both post you have send me but they actually don't touch the actual configuration i am trying to create.

I am not actually looking to create a client to site VPN tunnel but rather i am trying to establish a Site-to-Site vpn Tunnel using IKEv2.

Both of the posts are focused on trying to create a site to client vpn for andriod and or smartphone configuration.

  @cbrafu 

Your local and remote subnets are the same - which wont work

For IPsec to work, each side of the tunnel MUST have different ip ranges otherwise the tunnel will fail

In your case both are 192.168.0.0/24

Change one side to something else like 192.168.100.0/24 (make sure to give yourself room for additional vlans at both ends), and set the local and remote networks in the VPN settings apropriately (remember local is the one that exists on that gateway, so the host and connecting site will be different ways around)

  @GRL 

My bad and sorry to cause confusion.

You are absolutely right and on the same subnet they will indeed not work.

They are on different subnets,

Site A is on 192.168.10.x

Site B is on 192.168.20.x

  @Nathan-TP 

Thank you for replies but i am still confronting still the same problems and sorry it took me so long to reply back i had a lot on my plate at work.

The new remote site has a VDSL connection, using a very old modem(no bridging possible) therefor i have set my OMADA ER605 in a DMZ connection.

I have tried the following:

I have tested firstly the most easiest way to actually setup the IPSEC tunnel was by just accepting the auto mode to do its work and from the remote site this did not work. The problem is i don't know what omada uses as default when the auto configuration is chosen to setup a VPN tunnel.

From the remote site i could have chosen my Main site and the tunnel was created but no traffic was passing through.

Next i started to use IKEv2 in every way possible i could think of.

Main site: Responder mode

Branch Site: Initiator Mode

And Vice versa no success to what so ever.

It keeps failing and saying on both sides: 2.5G WAN/LAN1: Phase 1 of IKE negotiation failed. (Peers=IP Address <->IP Address, Error=NO_PROPOSAL_CHOSEN[14])

Still using No-IP DynDNS due to not having a static Public IP address on both sides.

The only way i got this working is switching from IKEv2 to IKEv1 with the identical Phase 1: Proposal set to SHA256 AES256 and DH19 SA lifetime set to the default and Phase 2 Proposal set to ESP SHA 256 AES256 and PFS set to DH 15. Exchange mode set to Main Mode. Worked immediately, without any extra changes, with the same encryption type and method and even without having to DMZ the Omada ER605 on the new remote site.

I even thought that the SDN was the problem therefor i removed the ER605 from Omada controller and made it like a standalone device.

The same errors, but also with the same success when switched from IKEv2 to IKEv1. 

The only thing i have left to try is using the device on a different remote site with a bridged network and if this don't go then i am pointing it and pinning it to device incompatibility.

The ER7412-m2 v1.0 on firmware 1.1.0 Build 20251015 Rel.63594 with ER605 on the latest firmware can't communicate with eachother using IKEv2 but only on IKEv1.

I barely have FW rules created, i do have IDS+IPS enabled on my GW. So if someone can elaborate of shed some light on this would be very helpfull.