L2L / IPSEC no Phase 2
Hi,
since 2 days now I am trying to setup a Site to Site VPN between the MR600 and a Cisco 1941 Phase 1 get's established without a problem but as soon as phase 2 should happen the MR600 is not sending any reply.
on the Cisco my configuration looks the following has anyone a clue why this is not working ?
interface Tunnel0
ip address xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
tunnel source GigabitEthernet0/0.10
tunnel mode ipsec ipv4
tunnel destination xxx.xxx.xxx.
tunnel protection ipsec profile P2P-PROFILE
end
!
crypto isakmp key cisco address xxx.xxx.xxx.xxx
!
crypto ipsec transform-set P2P-SET esp-aes 256 esp-sha-hmac
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
lifetime 3600
!
crypto ipsec profile P2P-PROFILE
set transform-set P2P-SET
set pfs group14
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
i figured it out looks like the MR600 does not like or can handle the tunnel interface on the cisco.
for anyone with the same / similiar issue here is my config
crypto logging session
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key psk_key address xx.xxx.xxx.xx
crypto isakmp profile P2P-PROFILE
crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map sec 20 ipsec-isakmp
set peer xx.xxx.xxx.xx
set transform-set AES-SHA
match address 100
crypto map has to be applied on the WAN Interface
crypto map sec
and of course the ACL
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
- Copy Link
- Report Inappropriate Content
Good day,
Have you seen this link?
https://www.tp-link.com/en/support/faq/1988/
and could you please also check the internet IP address on the Archer MR600 to make sure it is a public IP address otherwise you might need to open the port for MR600 on the SIM card provider;
Thanks a lot.
- Copy Link
- Report Inappropriate Content
Hi,
the MR600 is getting a Public reachable IP Address from the SIM Provider and there is also no issue regarding the MTU.
i tried to set up the Tunnel via the LAN IP Addresses and did a Portmirror and after phase 1 is was successful and phase 2 should happen the MR600 does not send any data.
- Copy Link
- Report Inappropriate Content
i figured it out looks like the MR600 does not like or can handle the tunnel interface on the cisco.
for anyone with the same / similiar issue here is my config
crypto logging session
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 14
lifetime 3600
crypto isakmp key psk_key address xx.xxx.xxx.xx
crypto isakmp profile P2P-PROFILE
crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map sec 20 ipsec-isakmp
set peer xx.xxx.xxx.xx
set transform-set AES-SHA
match address 100
crypto map has to be applied on the WAN Interface
crypto map sec
and of course the ACL
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
- Copy Link
- Report Inappropriate Content
Thank you very much for sharing this config info with the community, it's glad to hear that it works, congrats.^_^
Good day~
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 833
Replies: 4
Voters 0
No one has voted for it yet.