What should I do if my IPsec VPN connection fails?

TL-ER7206 , TL-R605 , Festa FR365 , ER707-M2 , ER7412-M2 , G36 , ER706W-4G , ER7406 , Festa FR205 , G611 , G36W-4G , ER7206 , ER8411 , ER605 , ER706W , ER7212PC
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device, and check either the Datasheet or the firmware section for the latest improvements added to your product. Please note that product availability varies by region, and certain models may not be available in your region.
Contents
This article provides detailed troubleshooting steps for IPsec VPN connection issues.
Follow the troubleshooting steps based on your IPsec VPN mode.
- Omada/Omada pro/Festa Gateway
Internet Protocol Security (IPsec) is a suite of protocols and services that provide security for IP networks. It is a widely used virtual private network (VPN) technology.
IPsec VPN requires remote users to install a dedicated VPN client or deploy a VPN gateway at the site. User access is checked by the client or gateway in terms of user authentication rules, security policy rules, or content security filtering.
Step 1. Make sure the WAN IP addresses of both Site Gateways can ping each other.
Step 2. Log in to Controller, go to Settings > Network Security > Attack Defense, disable Block ping from WAN.
Step 3. On the PC connected to Gateway 1, ping the WAN IP of Gateway 2.
Step 4. Verify if Gateway 1 has a public IP, and Gateway 2 is behind a NAT device.
Fill in the Remote Gateway of Gateway 1's IPsec settings with either 0.0.0.0 or the public IP of the NAT device in front of Gateway 2. Set the Negotiation Mode of Gateway 1 and Gateway 2 to responder and initiator modes respectively, and use NAME as the identity.
Note: The NAME mode in Local ID Type and Remote ID Type may have different names in different vendor devices, such as FQDN.
Step 5. Verify if both Gateway 1 and Gateway 2 are behind NAT devices.
Configure NAT forwarding rules (UDP 500, 4500) for the NAT device in front of Gateway 1. Other configurations are the same as in last step.
Step 6. Check if the basic configurations of the two Site Gateways are matched: Remote Gateway, Local Subnet, Remote Subnet, Pre-shared Key, and WAN interface.
Step 7. Check if the Phase-1 configurations of the two Site Gateways are matched: IKE Version, Proposal, Exchange Mode, Local ID, and Remote ID. If there is a NAT device between the two Gateways, use NAME mode as the identity.
Step 8. Check if the Phase-2 configurations of the two Site Gateways are matched: Encapsulation Mode, Proposal, and Perfect Forward Secrecy (PFS). By default, ESP protocol is used because AH cannot pass through NAT.
Step 9. Check if Auto IPsec is being used. Auto IPsec may not establish a connection in Controller mode. It is recommended to use Manual IPsec.
Step 10. Confirm if the ISP allows IPsec-related traffic (UDP 500, 4500) to pass through.
Step 11. Verify if both Gateways have ACL rules that block IPsec-related traffic.
Step 1. Make sure the client device can ping the Gateway’s WAN IP.
In Controller web, go to Settings > Network Security > Attack Defense, disable Block ping from WAN, then ping the Gateway’s WAN IP on the client device.
Step 2. Log in to Controller, go to Settings > Network Security > Attack Defense, disable Block ping from WAN.
Step 3. Confirm the client device model.
- If the client device is using the iOS operating system, there can be NAT devices in front of the Gateway. Both Local ID Type and Remote ID Type should be set to NAME mode.
- If the client device is a Samsung device, there can be NAT devices in front of the Gateway. Both Local ID Type and Remote ID Type should remain in the default IP Address mode.
- If the client device is an Android device (except Samsung devices), there should be no NAT devices in front of the Gateway. Set Local ID Type to IP Address mode and Remote ID Type to NAME mode.
Step 4. Confirm your Gateway configuration.
- Basic configuration: Fill in the Remote Host with either 0.0.0.0 or the public IP of the client device's front-end.
- Phase-1 configuration: Ensure IKE Version is consistent with the client. Proposal can be set to sha256-aes256-dh14. Select Responder Mode for Negotiation Mode. Configure Local ID Type and Remote ID Type according to step 2.
- Phase-2 configuration: Proposal can be set to sha256-aes256-dh14.
Step 5. Verify if the proposal matches.
Enable port mirroring for packet capture and capture the traffic packets of the WAN interface associated with the IPsec entry.
Use Wireshark to filter the ISAKMP packets. If the first ISAKMP packet replied by the Gateway contains the payload: Notify (41) - NOPROPOSALCHOSEN, it means the proposals do not match, as shown in the figure below.
The first ISAKMP packet initiated by the client contains all security proposals. You can set the Gateway's proposal to include the options specified in the packet.
If the issue of IPsec VPN is still not resolved with the above steps, please contact TP-Link via hotline or email for support.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Întrebări similare:
Citește despre:
A fost util acest FAQ?
Părerea ta ne ajută să îmbunătățim acest site.
Ce probleme ai avut cu acest articol?
- Nemulțumit de produs
- Prea complicat
- Titlu confuz
- Nu se aplică pentru mine
- Prea vag
- Alt motiv
Mulțumim
Apreciem părerea ta.
Acest site web folosește cookie-uri pentru a îmbunătăți experiența navigării web, a analiza activitățile online și a oferi utilizatorilor cea mai bună experiență pe site-ul nostru. Te poți opune utilizării cookie-urilor în orice moment. Poți afla mai multe informații în politica de confidențialitate .
Acest site web folosește cookie-uri pentru a îmbunătăți experiența navigării web, a analiza activitățile online și a oferi utilizatorilor cea mai bună experiență pe site-ul nostru. Te poți opune utilizării cookie-urilor în orice moment. Poți afla mai multe informații în politica de confidențialitate .
Cookie-uri de bază
Aceste cookie-uri sunt necesare pentru funcționarea site-ului web și nu pot fi dezactivate în sistemele tale
TP-Link
accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Chat live
__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Cookie-uri de analiză și marketing
Cookie-urile de analiză ne permit să analizăm activitățile tale de pe site-ul nostru web a îmbunătăți și ajusta funcționalitatea site-ului.
Cookie-urile de marketing pot fi setate prin intermediul site-ului nostru web de către partenerii noștri publicitari pentru a crea un profilul intereselor tale și a-ți afișeze reclame relevante pe alte site-uri web.
Google Analytics, Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads și DoubleClick
test_cookie, _gcl_au
Meta Pixel
_fbp
Crazy Egg
cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs
lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or
TikTok
_ttp