L2L / IPSEC no Phase 2

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
L2L / IPSEC no Phase 2
L2L / IPSEC no Phase 2
2020-11-01 18:56:34 - last edited 2020-11-12 16:28:34
Hardware Version: V1
Firmware Version:

Hi,

 

since 2 days now I am trying to setup a Site to Site VPN between the MR600 and a Cisco 1941 Phase 1 get's established without a problem but as soon as phase 2 should happen the MR600 is not sending any reply.

 

on the Cisco my configuration looks the following has anyone a clue why this is not working ? 

 

interface Tunnel0
 ip address xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
 tunnel source GigabitEthernet0/0.10
 tunnel mode ipsec ipv4
 tunnel destination xxx.xxx.xxx.
 tunnel protection ipsec profile P2P-PROFILE
end
!

crypto isakmp key cisco address xxx.xxx.xxx.xxx

!

crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac

!

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 14
 lifetime 3600
!

crypto ipsec profile P2P-PROFILE
 set transform-set P2P-SET
 set pfs group14
 

 

0
0
#1
Options
1 Accepted Solution
Re:L2L / IPSEC no Phase 2-Solution
2020-11-12 16:28:25 - last edited 2020-11-12 16:28:34

i figured it out looks like the MR600 does not like or can handle the tunnel interface on the cisco. 

 

for anyone with the same / similiar issue here is my config 

 

 

crypto logging session

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 14

 lifetime 3600

crypto isakmp key psk_key address xx.xxx.xxx.xx

crypto isakmp profile P2P-PROFILE

crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac 

 mode tunnel

crypto map sec 20 ipsec-isakmp 

 set peer xx.xxx.xxx.xx

 set transform-set AES-SHA 

 match address 100

 

crypto map has to be applied on the WAN Interface 

crypto map sec

 

and of course the ACL 

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Recommended Solution
2
2
#4
Options
4 Reply
Re:L2L / IPSEC no Phase 2
2020-11-06 07:15:26

@dan_man 

Good day,

Have you seen this link?

https://www.tp-link.com/en/support/faq/1988/

and could you please also check the internet IP address on the Archer MR600 to make sure it is a public IP address otherwise you might need to open the port for MR600 on the SIM card provider;

Thanks a lot.

0
0
#2
Options
Re:L2L / IPSEC no Phase 2
2020-11-11 16:24:29

@Sunshine 

 

Hi,

 

the MR600 is getting a Public reachable IP Address from the SIM Provider and there is also no issue regarding the MTU.

 

i tried to set up the Tunnel via the LAN IP Addresses and did a Portmirror and after phase 1 is was successful and phase 2 should happen the MR600 does not send any data. 

 

0
0
#3
Options
Re:L2L / IPSEC no Phase 2-Solution
2020-11-12 16:28:25 - last edited 2020-11-12 16:28:34

i figured it out looks like the MR600 does not like or can handle the tunnel interface on the cisco. 

 

for anyone with the same / similiar issue here is my config 

 

 

crypto logging session

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 14

 lifetime 3600

crypto isakmp key psk_key address xx.xxx.xxx.xx

crypto isakmp profile P2P-PROFILE

crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac 

 mode tunnel

crypto map sec 20 ipsec-isakmp 

 set peer xx.xxx.xxx.xx

 set transform-set AES-SHA 

 match address 100

 

crypto map has to be applied on the WAN Interface 

crypto map sec

 

and of course the ACL 

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

Recommended Solution
2
2
#4
Options
Re:L2L / IPSEC no Phase 2
2020-11-16 11:52:29

@dan_man 

 

Thank you very much for sharing this config info with the community, it's glad to hear that it works, congrats.^_^

 

Good day~

0
0
#5
Options