Archer MR200 4G Router IpSec VPN issue

Archer MR200 4G Router IpSec VPN issue
Archer MR200 4G Router IpSec VPN issue
2021-02-16 06:59:29 - last edited 2021-02-16 08:03:23
Model: Archer A10
Hardware Version: V2
Firmware Version: 1.6.0 0.9.1 v004a.0 Build 181219 Rel.54042n

Hi all,


I use Archer MR200 for ipsec VPN setup. Other side is Palo Alto Firewall. I succesfully made ipsec vpn with MR400 but this MR200 one is send wrong ip to Palo Alto i think. LEt me share details;


Archer MR200 side;


* Operation Mode: 3G/4G Router Mode

     Sim Card installed with static ip taken from ISP.

     Internet works well.


* LAN Settings;

    IP Address:

    Subnet Mask:

    DHCP: Enable

    DHCP Server: Selected

    IP Address Pool: -

    Address Lease Time: 1440

    Default Gateway:


* IpSec VPN Setup;

     Remote IPSec Gateway (URL): 213.xx.xx.xx (Remote side firewall wan ip)


     Tunnel access from local IP addresses: Subnet Address

     IP Address for VPN:

     Subnet Mask:


     Tunnel access from remote IP addresses: Subnet Address

     IP Address for VPN:

     Subnet Mask:


     Key Exchange Method: Auto (IKE)

     Authentication Method: Pre-Shared Key

     Pre-Shared Key: XXXXXXXXXX

     Perfect Forward Secrecy: Enable


     ==Phase 1==


     Mode: Main

     Local Identifier Type: Local WAN IP

     Remote Identifier Type: Remote WAN IP


When i look to Palo Alto Logs i see both WAN Ip start to talk like;

IKE phase-1 negotiation is started as initiator, main mode. Initiated SA: 213.XX.XX.XX[500]-5.XX.XX.XX[500] cookie:fe2e837a0a26820b:0000000000000000.


But strange things occures after that;

IKE phase-1 negotiation is failed. Peer\'s ID payload (type ipaddr) does not match a configured IKE gateway.


When i search via Internet, this ip is belong to MR200. But my MR200 LAN is as i wrote above.


Problem is Archer MR200 come with this ip to Palo Alto for peering.


I also use MR400 for ipsec at different location with same setup it works well.


Any help appreciated, thank you.