Home/Support/Support Forum/site to site VPN between two different wr11 through cellular ppp not working
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

site to site VPN between two different wr11 through cellular ppp not working

0 votes
I am trying to create an ipsec VPN between two WR11 XT Modems using the AN10 application note. The only difference is in the initiator when I set the ipsec rule I use a hostname that is resolving through dydns in my event log I see that it resolves to the remote ip address but the responder refuses to negotiate in aggressive mode. This is across two different cellular networks. It seems to time out even though the correct ip address resolves? Any Ideas
asked Nov 4, 2020 in Digi TransPort by icsesinc New to the Community (0 points)

Please log in or register to answer this question.

2 Answers

0 votes
Hi and welcome to Digi Forums.

AN10 would be the right Application Note to follow for such setup.
Have you ensured that the responder is accessible from the initiator (respond to pings)?
Also ensure you are running the latest firmware version found on our website: https://www.digi.com/support/productdetail?pid=5644&type=firmware

You can find some troubleshooting steps for ipsec here: https://ftp1.digi.com/support/documentation/QN_045_How_To_setup_analyser_To_Get_IKE_IPsec_trace.pdf

and here: https://ftp1.digi.com/support/documentation/QN_051_CommonPWD_ID_errors_in_IPsec_VPN_negotiation.pdf

For any further help on this issue, please contact our Technical Support team at tech.support@digi.com . Make sure to provide an IMEI of the devices for warranty and Base support registration as well as the debug.txt from the device: https://ftp1.digi.com/support/documentation/QN_024_Extracting%20the%20debug.txt%20file%20from%20a%20Digi%20TransPort%20or%20Sarian%20router.pdf

Thank you

Regards

Alex
Digi Technical Support Engineer
answered Nov 5, 2020 by alexbdigi Community Contributor (64 points)
0 votes
Adding to Alex's notes...
The VPN responder MUST have a public IP address on its WAN interface.
Just because DynDNS registers the address in use does not mean it is public and routable.
If the address assigned is in a private range, then this will not work, even with DynDNS.
Common private ranges are:
10.0.0.0 - 10.255.255.255
100.64.0.1 - 100.127.255.254
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Even if the WR11 SIM provides a public IP address, you need to ensure that IPsec services are allowed. Some mobile network operators will block certain ports and protocols. Check this with the network operator.

If either of these are the cause, there is nothing Digi Support can do to help.

Regards,
Ben - Digi Support
answered Nov 5, 2020 by bengartland Seasoned Professional (169 points)
...