TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own
TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own
2023-11-18 14:28:22 - last edited 2023-11-23 10:56:08
Tags: #VPN
Model: TL-MR6400  
Hardware Version: V5
Firmware Version: 1.6.0 0.9.1 v0001.0 Build 230801 Rel.62245n_Beta

Hello,

 

I have issues with a TL-MR6400 router, which I'd like to use for VPN. The problem I have is EXACTLY the same as described here:

https://community.tp-link.com/en/home/forum/topic/99462

 

(TL;DR: TP-Link-Router got a private IP from the ISP, the FRITZ!Box has public one. IPSec connection simply cannot be initiated by the TP-Link-Router).

 

In addition to that, I was able to get a public IP for the TL-MR6400 for test purposes, but even then, there was no way to establish a VPN connection initiated by the TP-Link router. It only works, if the connection is initiated by the FRITZ!Box. I tried several Firmware versions on the TL-MR6400 without success.

 

I'd be pleased if someone has a solution or any other ideas to solve this issue.

  0      
  0      
#1
Options
1 Accepted Solution
Re:TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own-Solution
2023-11-23 10:55:55 - last edited 2023-11-23 11:01:58

Well, as it turns out, I got the IPSec-connection finally running with a dynamic-DNS name mapped to the TP-Link-Router (using the tplinkdns service in this case) and using that name as the FQDN on both routers (instead of the generic '0.0.0.0' I used before), eventhough the TP-Link-Router got a private IP from the ISP. However, the tplinkdns-name seems to be mapped on a public NAT-address, which is sufficient to get the connection running.

 

I'd guess this thread ca be marked as 'solved'. Thanks again for the support offer.

Recommended Solution
  1  
  1  
#4
Options
3 Reply
Re:TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own
2023-11-21 07:13:39

  @Alex42 

 

Hi, may I have a screenshot of your IPSec VPN Settings on the MR6400 and also the FRITZ!Box? 

 

It seems that you are using a beta firmware for India 5G Jio SIM issue, the MR6400 is in 3G/4G router mode with a SIM card, right? who is the ISP please? 

 

Besides, how do you confirm or control the IPSec VPN connection is initiated by the FRITZ!Box or TP-Link router? 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer BE550 New Software Enhances System Stability and Optimizes MLO Network Stability. TL-WA3001 Supports EasyMesh, Speed Limit, Guest Network in AP Mode and/or Multi-SSID Mode. If you found the post or response helpful, please click Helpful. If an answer solves your problem, click "Recommended Solution" so that others can benefit from it.
  0  
  0  
#2
Options
Re:TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own
2023-11-21 11:45:39 - last edited 2023-11-21 11:59:56

@Sunshine 

 

Hello,

 

thank you very much for your reach out and support offer.

 

 

Hi, may I have a screenshot of your IPSec VPN Settings on the MR6400 and also the FRITZ!Box?

 

Sure!

 

 

Note that the FRITZ!Box in this case has a dynamic DNS name ("somedomain(dot)name(dot)net", whited out on the screenshot) with a public IPv4 address. The TP-Link router got a private class A IP address (10.x.x.x). The local net at the TP-Link site is set to 192.168.1.0/24; on the FRITZ!Box-site its 192.168.178.0/24.

If I use a public IP address using alternative APN credentials on the TP-Link-Router site and exchange the generic '0.0.0.0' Identifier with its public IP address, the connection works, but only when the check mark "VPN-Verbindung dauerhaft halten" ('Maintain permanent VPN-connection') on the FRITZ!Box is set. The 'Dead Peer Detection' option on the TP-Link site has no effect. I deduce from this that the connection setup initiated by the TP-Link router is not working for some reason. However, that doesn't exclude the possibility, that the FRITZ!Box simpy denies initial VPN connection initiation requests from the TP-Link router.

 

It seems that you are using a beta firmware for India 5G Jio SIM issue, the MR6400 is in 3G/4G router mode with a SIM card, right? who is the ISP please?

 

In the meantime, I reverted back to the Firmware available on the official support webpage. The behavior is the same.

ISP is 'Congstar', a subsidiary of 'Telekom'. Both are using the same APN credentials and infrastructure.

 

Besides, how do you confirm or control the IPSec VPN connection is initiated by the FRITZ!Box or TP-Link router?

 

I cannot provide a clear conformation, as I'm unable to sniff packets along the connection Initialization, but, as I've explained above, even with a public IP addresses assigned to both sites, the 'Dead Peer Detection' doesn't appear to establish the connection on that particular setup.

 

For test purposes, I might able set up another VPN Gateway (Raspberry Pi) within the FRITZ!Box local network with Port Forwarding enabled and see, if it picks up any packets from the MR6400 router. Then I can confirm or exclude that the Issue is the FRITZ!Box.

  0  
  0  
#3
Options
Re:TL-MR6400 V5.3 is unable to establish IPSec-connection to a AVM FRITZ!Box 7490 on its own-Solution
2023-11-23 10:55:55 - last edited 2023-11-23 11:01:58

Well, as it turns out, I got the IPSec-connection finally running with a dynamic-DNS name mapped to the TP-Link-Router (using the tplinkdns service in this case) and using that name as the FQDN on both routers (instead of the generic '0.0.0.0' I used before), eventhough the TP-Link-Router got a private IP from the ISP. However, the tplinkdns-name seems to be mapped on a public NAT-address, which is sufficient to get the connection running.

 

I'd guess this thread ca be marked as 'solved'. Thanks again for the support offer.

Recommended Solution
  1  
  1  
#4
Options