VPN IPSEC IKEv2 on er605 v2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

VPN IPSEC IKEv2 on er605 v2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
VPN IPSEC IKEv2 on er605 v2
VPN IPSEC IKEv2 on er605 v2
2023-11-23 14:55:09 - last edited 2024-08-28 01:56:19
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.1 Build 20230115 Rel.77774

I'm trying to configure an ipsec ikev2 VPN on my er605, but I'm having great difficulties in configuring it
I state that the pptp and openvpn configurations work correctly
but I need additional ipsec/ikev2 access
I followed the guide described here https://www.tp-link.com/it/support/faq/3447/
but the connection negotiation doesn't even start, I would like to understand where I'm going wrong

  0      
  0      
#1
Options
1 Accepted Solution
Re:VPN IPSEC IKEv2 on er605 v2-Solution
2023-12-01 01:18:28 - last edited 2023-12-01 01:24:37

Hi @PKD1 

Thanks for posting in our business forum.

PKD1 wrote

  @Clive_A the result is the same, nothing changes

OK.  Just got a confirmation that the Local ID type cannot be matched due to Android does not support the Remote ID type. When you put the ER605 behind the NAT, the Local ID type would be the IP address and this cannot be modified. This will make the authentication fail.

iOS supports changing Remote ID type and it does not happen to Apple products.

 

Temporary fix now: change it to bridge mode on your modem router. Don't DMZ or put the ER605 behind the NAT.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#13
Options
20 Reply
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-24 00:54:42

Hi @PKD1 

Thanks for posting in our business forum.

Please share your screenshots step-by-step. Mosaic partial public IP addresses. I need to make sure you have configured it correctly or not.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-24 16:31:30 - last edited 2023-11-24 17:47:42

  @Clive_A 

these are my screenshots
192.168.2.1 is the ISP router set in DMZ towards ER-605

 

if I use the following settings and try to use ipsec-IKEv2 it still doesn't work

  0  
  0  
#3
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-27 01:52:15 - last edited 2023-11-27 01:54:03

Hi @PKD1 

Thanks for posting in our business forum.

PKD1 wrote

  @Clive_A 

these are my screenshots
192.168.2.1 is the ISP router set in DMZ towards ER-605

 

 

if I use the following settings and try to use ipsec-IKEv2 it still doesn't work.

 

You should port forward before making a VPN connection.

IPsec uses UDP 500 and 4500. You should make sure you have DMZ correctly. If you want, show me the pic of the DMZ on your ISP router.

Does your ISP router get a public IP? Like I said earlier, screenshot with mosaic. I need to see your IP on the WAN status on your ISP router.

(Also, I need both sides' IPsec config. Only reading one site does not rule out the possibility of your misconfig. Or take the responsibility yourself and do the check. I'll finish my part solely.)

 

If this is not resolved, I need you to Wireshark so to find which phase fails to build up a tunnel.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-27 11:31:22 - last edited 2023-11-27 11:34:24

  @PKD1 

  0  
  0  
#5
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-28 02:29:37

Hi @PKD1 

Thanks for posting in our business forum.

PKD1 wrote

  @PKD1

 

It seems to be a problem with the Android. At least in my test environment, I did this before. Nothing wrong with it.

You can try to set up an OVPN and try with a computer or other devices to verify if the double-NAT issue is resolved or not by DMZ. If any other types don't work, it seems to be a problem with the NAT.

 

But if it works, it means NAT is not the case. I need you to Wireshark and work with me to find out which phase fails. This Wireshark should be done on the WAN to capture any incoming ISAKMP. See if the negotiation of phases 1 and 2 can succeed.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-29 12:25:10
I'll check with wireshark and post the results
  0  
  0  
#7
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-29 16:35:19 - last edited 2023-11-29 16:40:22

  @Clive_A these are wireshark logs, I don't understand why port traffic 500 steps to port 40754,
however it does not pass the key exchange

 

 

request source:smartphone destination:192.168.2.2

Frame 1066: 1114 bytes on wire (8912 bits), 1114 bytes captured (8912 bits) on interface \Device\NPF_{C47995F6-6075-4113-971B-5B8F509747BF}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{C47995F6-6075-4113-971B-5B8F509747BF})
        Interface name: \Device\NPF_{C47995F6-6075-4113-971B-5B8F509747BF}
        Interface description: Ethernet
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov 29, 2023 17:17:51.272525000 ora solare Europa occidentale
    UTC Arrival Time: Nov 29, 2023 16:17:51.272525000 UTC
    Epoch Arrival Time: 1701274671.272525000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.437719000 seconds]
    [Time delta from previous displayed frame: 23.797508000 seconds]
    [Time since reference or first frame: 145.928895000 seconds]
    Frame Number: 1066
    Frame Length: 1114 bytes (8912 bits)
    Capture Length: 1114 bytes (8912 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:isakmp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: zte_76:1d:04 (c0:94:ad:76:1d:04), Dst: TPLink_97:6d:44 (54:af:97:97:6d:44)
    Destination: TPLink_97:6d:44 (54:af:97:97:6d:44)
        Address: TPLink_97:6d:44 (54:af:97:97:6d:44)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: zte_76:1d:04 (c0:94:ad:76:1d:04)
        Address: zte_76:1d:04 (c0:94:ad:76:1d:04)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: smartphone, Dst: 192.168.2.2
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 1100
    Identification: 0x079e (1950)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 63
    Protocol: UDP (17)
    Header Checksum: 0x905a [validation disabled]
    [Header checksum status: Unverified]
    Source Address: smartphone
    Destination Address: 192.168.2.2
User Datagram Protocol, Src Port: 40754, Dst Port: 500
    Source Port: 40754
    Destination Port: 500
    Length: 1080
    Checksum: 0x7a5e [unverified]
    [Checksum Status: Unverified]
    [Stream index: 41]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
    UDP payload (1072 bytes)
Internet Security Association and Key Management Protocol
    Initiator SPI: bce6a6db70f21c60
    Responder SPI: 0000000000000000
    Next payload: Security Association (33)
    Version: 2.0
        0010 .... = MjVer: 0x2
        .... 0000 = MnVer: 0x0
    Exchange type: IKE_SA_INIT (34)
    Flags: 0x08 (Initiator, No higher version, Request)
        .... 1... = Initiator: Initiator
        ...0 .... = Version: No higher version
        ..0. .... = Response: Request
    Message ID: 0x00000000
    Length: 1072
    Payload: Security Association (33)
        Next payload: Key Exchange (34)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 408
        Payload: Proposal (2) # 1
            Next payload: Proposal (2)
            Reserved: 00
            Payload length: 200
            Proposal number: 1
            Protocol ID: IKE (1)
            SPI Size: 0
            Proposal transforms: 21
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_AES_CTR (13)
                Transform Attribute (t=14,l=2): Key Length: 256
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform Attribute (t=14,l=2): Key Length: 256
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_AES_CTR (13)
                Transform Attribute (t=14,l=2): Key Length: 192
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform Attribute (t=14,l=2): Key Length: 192
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_AES_CTR (13)
                Transform Attribute (t=14,l=2): Key Length: 128
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform Attribute (t=14,l=2): Key Length: 128
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Reserved: 00
                Transform ID (INTEG): AUTH_HMAC_SHA2_512_256 (14)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Reserved: 00
                Transform ID (INTEG): AUTH_HMAC_SHA2_384_192 (13)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Reserved: 00
                Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Reserved: 00
                Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Reserved: 00
                Transform ID (INTEG): AUTH_AES_CMAC_96 (8)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): 4096 bit MODP group (16)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): Unknown (31)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): 3072 bit MODP group (15)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): 2048 bit MODP group (14)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA1 (2)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_AES128_CBC (4)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
            Payload: Transform (3)
                Next payload: NONE / No Next Payload  (0)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_AES128_CMAC6 (8)
        Payload: Proposal (2) # 2
            Next payload: NONE / No Next Payload  (0)
            Reserved: 00
            Payload length: 204
            Proposal number: 2
            Protocol ID: IKE (1)
            SPI Size: 0
            Proposal transforms: 20
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): ENCR_CHACHA20_POLY1305 (28)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
                Transform Attribute (t=14,l=2): Key Length: 256
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
                Transform Attribute (t=14,l=2): Key Length: 256
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
                Transform Attribute (t=14,l=2): Key Length: 256
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
                Transform Attribute (t=14,l=2): Key Length: 192
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
                Transform Attribute (t=14,l=2): Key Length: 192
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
                Transform Attribute (t=14,l=2): Key Length: 192
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
                Transform Attribute (t=14,l=2): Key Length: 128
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
                Transform Attribute (t=14,l=2): Key Length: 128
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Reserved: 00
                Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
                Transform Attribute (t=14,l=2): Key Length: 128
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): 4096 bit MODP group (16)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): Unknown (31)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): 3072 bit MODP group (15)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Reserved: 00
                Transform ID (D-H): 2048 bit MODP group (14)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA1 (2)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_AES128_CBC (4)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA2_384 (6)
            Payload: Transform (3)
                Next payload: Transform (3)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_HMAC_SHA2_512 (7)
            Payload: Transform (3)
                Next payload: NONE / No Next Payload  (0)
                Reserved: 00
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Reserved: 00
                Transform ID (PRF): PRF_AES128_CMAC6 (8)
    Payload: Key Exchange (34)
        Next payload: Nonce (40)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 520
        DH Group #: 4096 bit MODP group (16)
        Reserved: 0000
        Key Exchange Data [truncated]: f6b955432c9058c34d9c4859ae8ae4f37bf130c1b66025c5529ca0a55eea809561bf759557e572ff94e79d74da4a465fa28683150902cd357c31589cf12b44dd324ad59ee467453af1494e9d483cabcdfdd0573d1c2aa6734dddfbee812c7f6cb805d84f6ca3290b
    Payload: Nonce (40)
        Next payload: Notify (41)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 36
        Nonce DATA: b655a32438ea804b775102ee3d31b5b2f7b8cac4318c8b4ea8e9c551804b5228
    Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
        Next payload: Notify (41)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 28
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
        Notification DATA: 7f9eeceed3ea23b31f8a79204f38fdbe4238c9b9
    Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
        Next payload: Notify (41)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 28
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
        Notification DATA: 93bdbd432cff408a6586e35a7d12937ae10f99bf
    Payload: Notify (41) - IKEV2_FRAGMENTATION_SUPPORTED
        Next payload: Notify (41)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 8
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: IKEV2_FRAGMENTATION_SUPPORTED (16430)
        Notification DATA: <MISSING>
    Payload: Notify (41) - SIGNATURE_HASH_ALGORITHMS
        Next payload: NONE / No Next Payload  (0)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 16
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: SIGNATURE_HASH_ALGORITHMS (16431)
        Notification DATA: 0001000200030004
        Supported Signature Hash Algorithm: SHA1 (1)
        Supported Signature Hash Algorithm: SHA2-256 (2)
        Supported Signature Hash Algorithm: SHA2-384 (3)
        Supported Signature Hash Algorithm: SHA2-512 (4)

 

 

response source:192.168.2.2 destination:smartphone

Frame 1067: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface \Device\NPF_{C47995F6-6075-4113-971B-5B8F509747BF}, id 0
    Section number: 1
    Interface id: 0 (\Device\NPF_{C47995F6-6075-4113-971B-5B8F509747BF})
        Interface name: \Device\NPF_{C47995F6-6075-4113-971B-5B8F509747BF}
        Interface description: Ethernet
    Encapsulation type: Ethernet (1)
    Arrival Time: Nov 29, 2023 17:17:51.276427000 ora solare Europa occidentale
    UTC Arrival Time: Nov 29, 2023 16:17:51.276427000 UTC
    Epoch Arrival Time: 1701274671.276427000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.003902000 seconds]
    [Time delta from previous displayed frame: 0.003902000 seconds]
    [Time since reference or first frame: 145.932797000 seconds]
    Frame Number: 1067
    Frame Length: 78 bytes (624 bits)
    Capture Length: 78 bytes (624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:isakmp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: TPLink_97:6d:44 (54:af:97:97:6d:44), Dst: zte_76:1d:04 (c0:94:ad:76:1d:04)
    Destination: zte_76:1d:04 (c0:94:ad:76:1d:04)
        Address: zte_76:1d:04 (c0:94:ad:76:1d:04)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: TPLink_97:6d:44 (54:af:97:97:6d:44)
        Address: TPLink_97:6d:44 (54:af:97:97:6d:44)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.2.2, Dst: smartphone
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 64
    Identification: 0xd772 (55154)
    010. .... = Flags: 0x2, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 62
    Protocol: UDP (17)
    Header Checksum: 0xc591 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.2.2
    Destination Address: smartphone
User Datagram Protocol, Src Port: 500, Dst Port: 40754
    Source Port: 500
    Destination Port: 40754
    Length: 44
    Checksum: 0xe6cd [unverified]
    [Checksum Status: Unverified]
    [Stream index: 41]
    [Timestamps]
        [Time since first frame: 0.003902000 seconds]
        [Time since previous frame: 0.003902000 seconds]
    UDP payload (36 bytes)
Internet Security Association and Key Management Protocol
    Initiator SPI: bce6a6db70f21c60
    Responder SPI: e2812c028aea01fb
    Next payload: Notify (41)
    Version: 2.0
        0010 .... = MjVer: 0x2
        .... 0000 = MnVer: 0x0
    Exchange type: IKE_SA_INIT (34)
    Flags: 0x20 (Responder, No higher version, Response)
        .... 0... = Initiator: Responder
        ...0 .... = Version: No higher version
        ..1. .... = Response: Response
    Message ID: 0x00000000
    Length: 36
    Payload: Notify (41) - NO_PROPOSAL_CHOSEN
        Next payload: NONE / No Next Payload  (0)
        0... .... = Critical Bit: Not critical
        .000 0000 = Reserved: 0x00
        Payload length: 8
        Protocol ID: RESERVED (0)
        SPI Size: 0
        Notify Message Type: NO_PROPOSAL_CHOSEN (14)
        Notification DATA: <MISSING>

  0  
  0  
#8
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-30 02:51:27

Hi @PKD1 

Thanks for posting in our business forum.

 

You only posted two capture results?

So it shows this connection, for phase 1 using UDP 500.

This is correct. Nothing wrong with it.

The source from the cellphone is a random port. Connecting to the server UDP500.

 

Later it will change:

 

This is the full interaction capture:

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#9
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-30 09:06:19

  @Clive_A I'll post the screenshots of wireshark, it crashes on the key exchange

  0  
  0  
#10
Options
Re:VPN IPSEC IKEv2 on er605 v2
2023-11-30 09:26:33

Hi @PKD1 

Thanks for posting in our business forum.

Are you trying this out in the LAN?

Can you use the cellular and get a public IP on your cellphone and try to connect to the 188.x.y.z IPsec server?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 2375

Replies: 20

Related Articles