Home

Forums

Stories

Knowledge Base

Home Network Community > 5G/4G Wi-Fi Routers/MiFi > TP-Link MR 600 V2 and IPSEC

< 5G/4G Wi-Fi Routers/MiFi

TP-Link MR 600 V2 and IPSEC

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

TP-Link MR 600 V2 and IPSEC

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Asten-p

2022-05-03 13:17:48

Posts: 1

Helpful: 0

Solutions: 0

Stories: 0

Registered: 2022-05-03

TP-Link MR 600 V2 and IPSEC

2022-05-03 13:17:48

Model: Archer MR600

Hardware Version: V2

Firmware Version:

Hi,

I'm trying to configure an IPSEC tunnel between a TP-Link Archer MR600 and a fortinet firewall.

To do so, I installed the beta firmware mentioned on this post.

The tunnel does not want to come Up.

I've seen no logs on the TP-Link regarding IPSEC and here are the logs from the fortigate (public IPs anonyised) :

ike 0:test-4g: schedule auto-negotiate
ike 0:test-4g:12625051: initiator: main mode is sending 1st message...
ike 0:test-4g:12625051: cookie 53b3a340214e0b8a/0000000000000000
ike 0:test-4g:12625051: out 53B3A340214E0B8A00000000000000000110020000000000000001200D00003800000001000000010000002C010100010000002401010000800B0001800C0E1080010007800E01008003000180020001800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:test-4g:12625051: sent IKE msg (ident_i1send): X.X.X.X:500->X.X.X.X:500, len=288, id=53b3a340214e0b8a/0000000000000000
ike 0: comes X.X.X.X:500->X.X.X.X:500,ifindex=351....
ike 0: IKEv1 exchange=Identity Protection id=53b3a340214e0b8a/469f4ffb9008ead7 len=160
ike 0: in 53B3A340214E0B8A469F4FFB9008EAD70110020000000000000000A00D00003800000001000000010000002C01010001000000240101000080010007800E0100800200018004000580030001800B0001800C0E100D00000C09002689DFD6B7120D000014AFCAD71368A1F1C96B8696FC775701000D0000184048B7D56EBCE88525E7DE7F00D6C2D380000000000000144A131C81070358455C5728F20E95452F
ike 0:test-4g:12625051: initiator: main mode get 1st response...
ike 0:test-4g:12625051: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:test-4g:12625051: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:test-4g:12625051: DPD negotiated
ike 0:test-4g:12625051: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:test-4g:12625051: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:test-4g:12625051: selected NAT-T version: RFC 3947
ike 0:test-4g:12625051: negotiation result
ike 0:test-4g:12625051: proposal id = 1:
ike 0:test-4g:12625051:   protocol id = ISAKMP:
ike 0:test-4g:12625051:      trans_id = KEY_IKE.
ike 0:test-4g:12625051:      encapsulation = IKE/none
ike 0:test-4g:12625051:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256
ike 0:test-4g:12625051:         type=OAKLEY_HASH_ALG, val=MD5.
ike 0:test-4g:12625051:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:test-4g:12625051:         type=OAKLEY_GROUP, val=MODP1536.
ike 0:test-4g:12625051: ISAKMP SA lifetime=3600
ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD704100200000000000000011C0A0000C43E07BA29DAC1D85733595493CE03CE66741DC5CA56B5AD4051A7EEB16AC66BE2CE7B7CD92C4E1103F4FE5264342F06D455EF24CAAFBD04C65400AF933ABB1A7F33E980552F89C085DF937114A0FFCAE7A31A1F264A7AEDCEE4229D8516B743B8F3294D21490392483F8BC1435BD37E84E9643A81B63D526BD5A93A3AAD52911B8DFDCAAFEF207F174585761B6C10917ECB91E5D9D926CBBBA7C58CD8B6090ED5BBF01A808DB56B9D8A38657B490677E3C62F73BE1E05CF3C95D9FA6F49E9E48D1400001493D416F64EE16E6741AA3C977B08171D14000014438B058F4A819D574311D88CACFF4A86000000140E8B492978026BFDDCF931924B643F20
ike 0:test-4g:12625051: sent IKE msg (ident_i2send): X.X.X.X:500->X.X.X.X:500, len=284, id=53b3a340214e0b8a/469f4ffb9008ead7
ike 0: comes X.X.X.X:500->X.X.X.X:500,ifindex=351....
ike 0: IKEv1 exchange=Identity Protection id=53b3a340214e0b8a/469f4ffb9008ead7 len=300
ike 0: in 53B3A340214E0B8A469F4FFB9008EAD704100200000000000000012C0A0000C4DE97744EFD5BC9AD1216549819EEEDE2023674821B4144FDF70E8B798D9BC2A0B939CA8AB0B6DEC9D073D2DD4F6C39793B8A615BD80A514B3C7E5977058BA270A054E625B4BC9F346DE7AE8ED5A9003C4C722CA88CE7F5B423A5CB283708DE82B4605609F1EF74672DC85038F7D05AA48E54BC287DC361872BCD510EF51447D2D6CD681A0A01109E6ABAB0B91FE0DC54FCFDD6EC548EF95E833A6177D6E3D1EA11652503251351935FE47CA0CF08730B7821E4F81DE5BC691ED6480CF99A034A1400002401468CCDAAD02CC13F0632BA5F46C01B4AC7329C238CF31B671BBF8113E487EC1400001445EEFF8D15C4CE4E11EA816269CD0AA800000014438B058F4A819D574311D88CACFF4A86
ike 0:test-4g:12625051: initiator: main mode get 2nd response...
ike 0:test-4g:12625051: received NAT-D payload type 20
ike 0:test-4g:12625051: received NAT-D payload type 20
ike 0:test-4g:12625051: NAT detected: ME
ike 0:test-4g:12625051: NAT-T float port 4500
ike 0:test-4g:12625051: ISAKMP SA 53b3a340214e0b8a/469f4ffb9008ead7 key 32:3791683A25E8CBBE68F7897BFCB2D8D2EE0AFF5C477155B14F43CDD1459E9389
ike 0:test-4g:12625051: add INITIAL-CONTACT
ike 0:test-4g:12625051: enc 53B3A340214E0B8A469F4FFB9008EAD70510020100000000000000580800000C010000000A0A67190B000014F33BBB6DD35A229E689EE7892C7F4BA20000001C000000010110600253B3A340214E0B8A469F4FFB9008EAD7
ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FD
ike 0:test-4g:12625051: sent IKE msg (ident_i3send): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7
ike 0: comes X.X.X.X:4500->X.X.X.X:4500,ifindex=351....
ike 0: IKEv1 exchange=Informational id=53b3a340214e0b8a/469f4ffb9008ead7:30dbcd0a len=92
ike 0: in 53B3A340214E0B8A469F4FFB9008EAD70810050130DBCD0A0000005C0C4C10607A36BA5C75B7A0FBA7E76C6718D5F094670F90FA58F0EF5D5D9206B63DEA1558999E53A13E5E1B61D047BAB63423D57E2AAD2F51A78F18F51BE00F62
ike 0:test-4g:12625051: dec 53B3A340214E0B8A469F4FFB9008EAD70810050130DBCD0A0000005C0B000014D0AFEB1284628867BDA3911F323A199A0000001C000000010110001853B3A340214E0B8A469F4FFB9008EAD700000000000000000000000000000000
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0
ike 0:test-4g:test-4g: using existing connection
ike 0:test-4g:test-4g: config found
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:500 negotiating
ike 0:test-4g:12625051:test-4g:369935774: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FD
ike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0
ike 0:test-4g:test-4g: using existing connection
ike 0:test-4g:test-4g: config found
ike 0:test-4g: request is on the queue
ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FD
ike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0
ike 0:test-4g:test-4g: using existing connection
ike 0:test-4g:test-4g: config found
ike 0:test-4g: request is on the queue
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0
ike 0:test-4g:test-4g: using existing connection
ike 0:test-4g:test-4g: config found
ike 0:test-4g: request is on the queue
ike 0:test-4g:12625051: out 53B3A340214E0B8A469F4FFB9008EAD705100201000000000000005CB84737AFDC8BADE434703EC4AF6E2430B6C55F468EBD00374AF52F1B8DDB24F1AC1C78153C1DE1464B24DFD2C416BCE76487F269802E424D52C0A64B838F90FD
ike 0:test-4g:12625051: sent IKE msg (P1_RETRANSMIT): X.X.X.X:4500->X.X.X.X:4500, len=92, id=53b3a340214e0b8a/469f4ffb9008ead7
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0
ike 0:test-4g:test-4g: using existing connection
ike 0:test-4g:test-4g: config found
ike 0:test-4g: request is on the queue
ike 0:test-4g:test-4g: IPsec SA connect 351 X.X.X.X->X.X.X.X:0
ike 0:test-4g:test-4g: using existing connection
ike 0:test-4g:test-4g: config found
ike 0:test-4g: request is on the queue
ike 0:test-4g:12625051: negotiation timeout, deleting
ike 0:test-4g: connection expiring due to phase1 down
ike 0:test-4g: deleting
ike 0:test-4g: deleted

What thoose logs tells me is that the two device manages to communicate in port 500 and then because of NAT-T detected change to port 4500.

The feeling here is that the TP-Link is not answering anymore when port 4500 is used (multiple retransmit from fortigate).

But I can detect traffic logs between the TP-Link and the fortigate on port 4500. It juste doesn't seems to be what the fortigate is expecting so it's not showing on the VPN logs.

Maybe there is an update for this beta firmware that could solve my issue ?

1 Reply

Sunshine

2022-05-05 08:37:41

Posts: 7375

Helpful: 1195

Solutions: 915

Stories: 0

Registered: 2018-12-17

Re:TP-Link MR 600 V2 and IPSEC

2022-05-05 08:37:41

@Asten-p

Hi, thank you very much for the feedback.

May I know if you are using 3G/4G Router mode on the MR600? Please check the 4G Internet IP address on Status page of MR600 to see if it is a private IP address or public IP address, and does the fortinet firewall have a public WAN IP address as well?

Besides, please share with us some screenshots of your IPSec VPN settings on both sides to see if there is any problem with the settings, and what about the IPSec VPN Status displayed on MR600?

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer BE550 New Software Enhances System Stability and Optimizes MLO Network Stability. TL-WA3001 Supports EasyMesh, Speed Limit, Guest Network in AP Mode and/or Multi-SSID Mode. If you found the post or response helpful, please click Helpful. If an answer solves your problem, click "Recommended Solution" so that others can benefit from it.

TP-Link MR 600 V2 and IPSEC

TP-Link MR 600 V2 and IPSEC

Information

Voters 0

Tags