L2L / IPSEC no Phase 2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

L2L / IPSEC no Phase 2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
L2L / IPSEC no Phase 2
L2L / IPSEC no Phase 2
2020-11-01 18:56:34 - last edited 2020-11-12 16:28:34
Model: Archer MR600  
Hardware Version: V1
Firmware Version:

Hi,

 

since 2 days now I am trying to setup a Site to Site VPN between the MR600 and a Cisco 1941 Phase 1 get's established without a problem but as soon as phase 2 should happen the MR600 is not sending any reply.

 

on the Cisco my configuration looks the following has anyone a clue why this is not working ? 

 

interface Tunnel0
 ip address xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
 tunnel source GigabitEthernet0/0.10
 tunnel mode ipsec ipv4
 tunnel destination xxx.xxx.xxx.
 tunnel protection ipsec profile P2P-PROFILE
end
!

crypto isakmp key cisco address xxx.xxx.xxx.xxx

!

crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac

!

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 14
 lifetime 3600
!

crypto ipsec profile P2P-PROFILE
 set transform-set P2P-SET
 set pfs group14
 

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:L2L / IPSEC no Phase 2-Solution
2020-11-12 16:28:25 - last edited 2020-11-12 16:28:34

i figured it out looks like the MR600 does not like or can handle the tunnel interface on the cisco. 

 

for anyone with the same / similiar issue here is my config 

 

 

crypto logging session

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 14

 lifetime 3600

crypto isakmp key psk_key address xx.xxx.xxx.xx

crypto isakmp profile P2P-PROFILE

crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac 

 mode tunnel

crypto map sec 20 ipsec-isakmp 

 set peer xx.xxx.xxx.xx

 set transform-set AES-SHA 

 match address 100

 

crypto map has to be applied on the WAN Interface 

crypto map sec

 

and of course the ACL 

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Recommended Solution
  2  
  2  
#4
Options
4 Reply
Re:L2L / IPSEC no Phase 2
2020-11-06 07:15:26

@dan_man 

Good day,

Have you seen this link?

https://www.tp-link.com/en/support/faq/1988/

and could you please also check the internet IP address on the Archer MR600 to make sure it is a public IP address otherwise you might need to open the port for MR600 on the SIM card provider;

Thanks a lot.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer BE550 New Software Enhances System Stability and Optimizes MLO Network Stability. TL-WA3001 Supports EasyMesh, Speed Limit, Guest Network in AP Mode and/or Multi-SSID Mode. If you found the post or response helpful, please click Helpful. If an answer solves your problem, click "Recommended Solution" so that others can benefit from it.
  0  
  0  
#2
Options
Re:L2L / IPSEC no Phase 2
2020-11-11 16:24:29

@Sunshine 

 

Hi,

 

the MR600 is getting a Public reachable IP Address from the SIM Provider and there is also no issue regarding the MTU.

 

i tried to set up the Tunnel via the LAN IP Addresses and did a Portmirror and after phase 1 is was successful and phase 2 should happen the MR600 does not send any data. 

 

  0  
  0  
#3
Options
Re:L2L / IPSEC no Phase 2-Solution
2020-11-12 16:28:25 - last edited 2020-11-12 16:28:34

i figured it out looks like the MR600 does not like or can handle the tunnel interface on the cisco. 

 

for anyone with the same / similiar issue here is my config 

 

 

crypto logging session

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 14

 lifetime 3600

crypto isakmp key psk_key address xx.xxx.xxx.xx

crypto isakmp profile P2P-PROFILE

crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac 

 mode tunnel

crypto map sec 20 ipsec-isakmp 

 set peer xx.xxx.xxx.xx

 set transform-set AES-SHA 

 match address 100

 

crypto map has to be applied on the WAN Interface 

crypto map sec

 

and of course the ACL 

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Recommended Solution
  2  
  2  
#4
Options
Re:L2L / IPSEC no Phase 2
2020-11-16 11:52:29

@dan_man 

 

Thank you very much for sharing this config info with the community, it's glad to hear that it works, congrats.^_^

 

Good day~

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer BE550 New Software Enhances System Stability and Optimizes MLO Network Stability. TL-WA3001 Supports EasyMesh, Speed Limit, Guest Network in AP Mode and/or Multi-SSID Mode. If you found the post or response helpful, please click Helpful. If an answer solves your problem, click "Recommended Solution" so that others can benefit from it.
  0  
  0  
#5
Options