Hi all,

 

I use Archer MR200 for ipsec VPN setup. Other side is Palo Alto Firewall. I succesfully made ipsec vpn with MR400 but this MR200 one is send wrong ip to Palo Alto i think. LEt me share details;

 

Archer MR200 side;

 

* Operation Mode: 3G/4G Router Mode

     Sim Card installed with static ip taken from ISP.

     Internet works well.

 

* LAN Settings;

    IP Address: 192.168.30.1

    Subnet Mask: 255.255.255.0

    DHCP: Enable

    DHCP Server: Selected

    IP Address Pool: 192.168.30.100 - 192.168.30.199

    Address Lease Time: 1440

    Default Gateway: 192.168.30.1

 

* IpSec VPN Setup;

     Remote IPSec Gateway (URL): 213.xx.xx.xx (Remote side firewall wan ip)

 

     Tunnel access from local IP addresses: Subnet Address

     IP Address for VPN: 192.168.30.0

     Subnet Mask: 255.255.255.0

 

     Tunnel access from remote IP addresses: Subnet Address

     IP Address for VPN: 20.1.0.0

     Subnet Mask: 255.255.255.0

 

     Key Exchange Method: Auto (IKE)

     Authentication Method: Pre-Shared Key

     Pre-Shared Key: XXXXXXXXXX

     Perfect Forward Secrecy: Enable

     

     ==Phase 1==

 

     Mode: Main

     Local Identifier Type: Local WAN IP

     Remote Identifier Type: Remote WAN IP

 

When i look to Palo Alto Logs i see both WAN Ip start to talk like;

IKE phase-1 negotiation is started as initiator, main mode. Initiated SA: 213.XX.XX.XX[500]-5.XX.XX.XX[500] cookie:fe2e837a0a26820b:0000000000000000.

 

But strange things occures after that;

IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.225.100 (type ipaddr) does not match a configured IKE gateway.

 

When i search via Internet, this 192.168.225.100 ip is belong to MR200. But my MR200 LAN is 192.168.30.0/24 as i wrote above.

 

Problem is Archer MR200 come with this 192.168.225.100 ip to Palo Alto for peering.

 

I also use MR400 for ipsec at different location with same setup it works well.

 

Any help appreciated, thank you.