Search Online store
Search Menu

What should I do if my IPsec VPN connection fails?

Troubleshooting
Aktualisiert 07-08-2024 03:41:06 AM Number of views for this article19554
Dieser Artikel gilt für: 

Contents

Objective

Requirements

Introduction

Troubleshooting steps

Site to Site Mode

Client to Site Mode

Conclusion

Objective

This article provides detailed troubleshooting steps for IPsec VPN connection issues.

Follow the troubleshooting steps based on your IPsec VPN mode.

Requirements

  • Omada/Omada pro/Festa Gateway

Introduction

Internet Protocol Security (IPsec) is a suite of protocols and services that provide security for IP networks. It is a widely used virtual private network (VPN) technology.

IPsec VPN requires remote users to install a dedicated VPN client or deploy a VPN gateway at the site. User access is checked by the client or gateway in terms of user authentication rules, security policy rules, or content security filtering.

Troubleshooting steps

Site to Site Mode

Step 1. Make sure the WAN IP addresses of both Site Gateways can ping each other.

Step 2. Log in to Controller, go to Settings > Network Security > Attack Defense, disable Block ping from WAN.

Step 3. On the PC connected to Gateway 1, ping the WAN IP of Gateway 2.

Step 4. Verify if Gateway 1 has a public IP, and Gateway 2 is behind a NAT device.

Fill in the Remote Gateway of Gateway 1's IPsec settings with either 0.0.0.0 or the public IP of the NAT device in front of Gateway 2. Set the Negotiation Mode of Gateway 1 and Gateway 2 to responder and initiator modes respectively, and use NAME as the identity.

Note: The NAME mode in Local ID Type and Remote ID Type may have different names in different vendor devices, such as FQDN.

Step 5. Verify if both Gateway 1 and Gateway 2 are behind NAT devices.

Configure NAT forwarding rules (UDP 500, 4500) for the NAT device in front of Gateway 1. Other configurations are the same as in last step.

Step 6. Check if the basic configurations of the two Site Gateways are matched: Remote Gateway, Local Subnet, Remote Subnet, Pre-shared Key, and WAN interface.

Step 7. Check if the Phase-1 configurations of the two Site Gateways are matched: IKE Version, Proposal, Exchange Mode, Local ID, and Remote ID. If there is a NAT device between the two Gateways, use NAME mode as the identity.

Step 8. Check if the Phase-2 configurations of the two Site Gateways are matched: Encapsulation Mode, Proposal, and Perfect Forward Secrecy (PFS). By default, ESP protocol is used because AH cannot pass through NAT.

Step 9. Check if Auto IPsec is being used. Auto IPsec may not establish a connection in Controller mode. It is recommended to use Manual IPsec.

Step 10. Confirm if the ISP allows IPsec-related traffic (UDP 500, 4500) to pass through.

Step 11. Verify if both Gateways have ACL rules that block IPsec-related traffic.

Client to Site Mode

Step 1. Make sure the client device can ping the Gateway’s WAN IP.

In Controller web, go to Settings > Network Security > Attack Defense, disable Block ping from WAN, then ping the Gateway’s WAN IP on the client device.

Step 2. Log in to Controller, go to Settings > Network Security > Attack Defense, disable Block ping from WAN.

Step 3. Confirm the client device model.

  • If the client device is using the iOS operating system, there can be NAT devices in front of the Gateway. Both Local ID Type and Remote ID Type should be set to NAME mode.
  • If the client device is a Samsung device, there can be NAT devices in front of the Gateway. Both Local ID Type and Remote ID Type should remain in the default IP Address mode.
  • If the client device is an Android device (except Samsung devices), there should be no NAT devices in front of the Gateway. Set Local ID Type to IP Address mode and Remote ID Type to NAME mode.

Step 4. Confirm your Gateway configuration.

  • Basic configuration: Fill in the Remote Host with either 0.0.0.0 or the public IP of the client device's front-end.
  • Phase-1 configuration: Ensure IKE Version is consistent with the client. Proposal can be set to sha256-aes256-dh14. Select Responder Mode for Negotiation Mode. Configure Local ID Type and Remote ID Type according to step 2.
  • Phase-2 configuration: Proposal can be set to sha256-aes256-dh14.

Step 5. Verify if the proposal matches.

Enable port mirroring for packet capture and capture the traffic packets of the WAN interface associated with the IPsec entry.

Use Wireshark to filter the ISAKMP packets. If the first ISAKMP packet replied by the Gateway contains the payload: Notify (41) - NOPROPOSALCHOSEN, it means the proposals do not match, as shown in the figure below.

The first ISAKMP packet initiated by the client contains all security proposals. You can set the Gateway's proposal to include the options specified in the packet.

Conclusion

If the issue of IPsec VPN is still not resolved with the above steps, please contact TP-Link via hotline or email for support.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Related FAQs

Looking for More

Finden Sie diese FAQ hilfreich?

Mit Ihrer Rückmeldung tragen Sie dazu bei, dass wir unsere Webpräsenz verbessern.

Recommend Products

Von United States?

Erhalten Sie Produkte, Events und Leistungen speziell für Ihre Region

LOS Andere Möglichkeiten

Diese Webseite verwendet Cookies, um die Websitenavigation zu verbessern, Online-Aktivitäten zu analysieren und die bestmögliche Nutzererfahrung auf unseren Webseiten zu haben. Sie können der Verwendung von Cookies jederzeit Widersprechen. Nähere Informationen finden Sie in unseren Datenschutzhinweisen.

Diese Webseite verwendet Cookies, um die Websitenavigation zu verbessern, Online-Aktivitäten zu analysieren und die bestmögliche Nutzererfahrung auf unseren Webseiten zu haben. Sie können der Verwendung von Cookies jederzeit Widersprechen. Nähere Informationen finden Sie in unseren Datenschutzhinweisen.

Diese Cookies sind zur Funktion der Website erforderlich und können in Ihren Systemen nicht deaktiviert werden.

TP-Link

accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Live-Chat

__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Analyse- und Marketing-Cookies

Analyse-Cookies ermöglichen es uns, Ihre Aktivitäten auf unserer Website zu analysieren, um die Funktionsweise unserer Website zu verbessern und anzupassen.

Die Marketing-Cookies können über unsere Website von unseren Werbepartnern gesetzt werden, um ein Profil Ihrer Interessen zu erstellen und Ihnen relevante Anzeigen auf anderen Websites zu zeigen.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au

Crazy Egg

cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs

Remove