IPSec - Negotiation Failure

Hi all,

I have two WR21 and try to setup a IPSec vpn tunnel.
The configurations between two WR21 are match to each other and the IPSec tunnel was setting successfully.
Then, I sent one of the WR21 to other country and insert sim card from the country.
The log of WR21 from my side shows the dog as following:

16:23:15, 09 Mar 2021,(31) IKE SA Removed. Peer: WR21_TEST,Negotiation Failure
16:23:15, 09 Mar 2021,(31) IKE Negotiation Failed. Peer: ,Inactivity
16:22:46, 09 Mar 2021,(31) IKE Keys Negotiated. Peer: WR21_TEST
16:22:45, 09 Mar 2021,(31) New Phase 1 IKE Session 45.115.73.50,Responder
16:20:05, 09 Mar 2021,(28) IKE SA Removed. Peer: WR21_TEST,Negotiation Failure
16:20:05, 09 Mar 2021,(28) IKE Negotiation Failed. Peer: ,Inactivity
16:19:53, 09 Mar 2021,(27) IKE SA Removed. Peer: WR21_TEST,Negotiation Failure
16:19:53, 09 Mar 2021,(27) IKE Negotiation Failed. Peer: ,Inactivity
16:19:35, 09 Mar 2021,(28) IKE Keys Negotiated. Peer: WR21_TEST
16:19:35, 09 Mar 2021,(28) New Phase 1 IKE Session 45.115.73.58,Responder
16:19:23, 09 Mar 2021,(27) IKE Keys Negotiated. Peer: WR21_TEST
16:19:23, 09 Mar 2021,(27) New Phase 1 IKE Session 45.115.73.26,Responder
16:16:53, 09 Mar 2021,(25) IKE SA Removed. Peer: WR21_TEST,Negotiation Failure
16:16:53, 09 Mar 2021,(25) IKE Negotiation Failed. Peer: ,Inactivity
16:16:23, 09 Mar 2021,(25) IKE Keys Negotiated. Peer: WR21_TEST
16:16:23, 09 Mar 2021,(25) New Phase 1 IKE Session 45.115.73.26,Responder
16:13:43, 09 Mar 2021,(23) IKE SA Removed. Peer: WR21_TEST,Negotiation Failure
16:13:43, 09 Mar 2021,(23) IKE Negotiation Failed. Peer: ,Inactivity
16:13:13, 09 Mar 2021,(23) IKE Keys Negotiated. Peer: WR21_TEST
16:13:13, 09 Mar 2021,(23) New Phase 1 IKE Session 45.115.73.52,Responder

There is only New Phase 1 IKE Session but no Phase 2.
Any idea for this? Thanks.

Best,
CS

You can see from the logs IP addresses that they keep changing:

New Phase 1 IKE Session 45.115.73.52,Responder
New Phase 1 IKE Session 45.115.73.26,Responder
New Phase 1 IKE Session 45.115.73.50,Responder

This most likely means that the WR21 does not have a public IP address but is behind a NAT system.

If you have setup an IPsec VPN using IKE v1 and Main mode (default mode) then this will fail. You will need to use aggressive mode to allow IKE v1 to negotiate behind a NATted IP address.

You could also request a public IP from the carrier on the SIM but I highly doubt Telkomcel (in Timor-Liste?) can provide that.

You will need remote hands/SMS control/Digi Remote Manager to change the initiator for aggressive mode.

https://ftp1.digi.com/support/documentation/AN_010_IPSec_Over_Cellular_using_Digi_Tport_Routers.pdf

Nicholas Wilson
Your IoT

Hi Nicholas,

Thanks for your reply.
I did set the aggressive mode for the initiator before I sent it to Timor-Leste.
But it didn’t work.
Any other idea?
Thanks.

Best regards,
CS

Turn on the analyser and monitor the IPsec and IKE ports to see where it is failing.