MR200 with Iliad SIM

[braghettos]

I'm trying to configure an Archer MR200 4G router as a client to connect to the IPSec server but the errors that I get from the server logs are the following:

Jan 7 22:30:21 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: responding to Main Mode from unknown peer xx.xxx.xx.xx on port 37508 Jan 7 22:30:21 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused Jan 7 22:30:21 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: no acceptable Oakley Transform Jan 7 22:30:21 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: sending notification NO_PROPOSAL_CHOSEN to xx.xxx.xx.xx :37508 Jan 7 22:30:31 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: discarding initial packet; already STATE_MAIN_R0 Jan 7 22:31:01 server pluto[16343]: message repeated 3 times: [ "l2tp-psk"[1] xx.xxx.xx.xx #2: discarding initial packet; already STATE_MAIN_R0]

What is wrong in the server configuration?

[letoams]

On Mon, 7 Jan 2019, Diego Braga wrote:

I'm trying to configure an Archer MR200 4G router as a client to connect to the IPSec server but the errors that I get from the server logs are the following:

Jan 7 22:30:21 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: responding to Main Mode from unknown peer xx.xxx.xx.xx on port 37508 Jan 7 22:30:21 server pluto[16343]: "l2tp-psk"[1] xx.xxx.xx.xx #2: Oakley Transform [3DES_CBC (192), HMAC_MD5, MODP1024] refused

Reconfigure the Archer MR200 to use aes-sha1 or aes-gcm, not 3des-sha1. While at it, increase the DH group from 2 to 14 (or 5 if there is no 14)

What is wrong in the server configuration?

Nothing. The router is trying 1990 cryptography,

Paul

[braghettos]

Same error, I tried to add 3des-md5;modp1024 to the end of ike= line in your /etc/ipsec.conf on VPN server, then run service ipsec restart.

Now the error I get is the following:

Jan 7 23:11:29 server pluto[17528]: "l2tp-psk"[2] xx.xxx.xx.xx #1: the peer proposed: ip_vpnserver:17/1701 -> local lan ip/24:17/0 Jan 7 23:11:29 server pluto[17528]: "l2tp-psk"[2] xx.xxx.xx.xx #1: cannot respond to IPsec SA request because no connection is known

My xx.xxx.xx.xx IP is in a NAT network of the ISP provider and is not reacheable from Internet, but it can connect to the VPN server.

[letoams]

On Mon, 7 Jan 2019, Diego Braga wrote:

Same error, I tried to add 3des-md5;modp1024 to the end of ike= line in your /etc/ipsec.conf on VPN server, then run service ipsec restart.

no. A different error.

Now the error I get is the following:

Jan 7 23:11:29 server pluto[17528]: "l2tp-psk"[2] xx.xxx.xx.xx #1: the peer proposed: ip_vpnserver:17/1701 -> local lan ip/24:17/0

It's requesting L2TP (UDP port 1701) so it should be then suggesting a host to host transport mode connection, but it wants a /24 ???

Seems it is broken and mixed up between L2TP and non-L2TP type connections?

Paul

[braghettos]

The configuration on the router side allows the setup of a "Tunnel access from local IP addresses" to a single address or a subnet, therefore the /24 subnet.

[letoams]

That is incompatible with L2TP. You have to pick one or the other. Port 1701 indicates LT2P. So either their config tools lets you mistakenly mix them up, or there is a larger bug in the device

Sent from mobile device

On Jan 7, 2019, at 17:33, Diego Braga notifications@github.com wrote:

The configuration on the router side allows the setup of a "Tunnel access from local IP addresses" to a single address or a subnet, therefore the /24 subnet.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[hwdsl2]

Thanks @letoams!

@braghettos It looks like your router is incompatible with the VPN server. Please troubleshoot further yourself. Try reaching out to the relevant community (forums, etc.).