VPN (GlobalProtect) not working on TP-Link Archer MR200

Hello!

I am using OpenWrt 19.07.4 on TP-Link Archer MR200, the version from my mobile operator. The main reason for installing OpenWrt was that I wasn't able to make VPN work.

All I mean by the "VPN" is that I want to be able to connect from my notebook to my company servers. There is a software GlobalProtect running on my notebook, that usually seamlessly handles this. It simply works on every other router, but not on that MR200.

Installing OpenWrt wasn't straightforward, I bricked it, had to buy Paspberry PI and to debrick it. But thanks to the instructions from this site I made it.

But, guess what, I am still not able to connect through VPN. I have tried methods from every thread I found, but to no avail. It actually connects, but no data goes through. Sometimes it even works for short period and I can connect to company sites, but it doesn't last long.

I am really stuck here, because I am new to OpenWrt and I don't know how to debug this situation or what to look for. Maybe you could give me some advice?

Honestly, I can buy some other router that will work with default settings, but now it is matter of principle for me to manage it :slight_smile:

You will need to configure openconnect for the VPN, as this is the VPN software that currently interoperates with Globalprotect.

I believe that I have tried it, but will try it again, maybe I have missed something. Thank you kukulo.

Quick google reveals GlobalProtect vpn perhaps uses ipsec.

fwiw, I don't know if this helps:

Fix ipsec for MR200 v1 with TPlink stock firmware, posted 2 years ago:
https://community.tp-link.com/en/home/forum/topic/89471?page=5

The problem is that my router is version from my mobile operator, O2, and it differs from TP-Link's version. Probably not by hardware, but the version is hardcoded somewhere, so I cannot use the original software directly. Maybe I can somehow make it work by using O2's bootloader with TP-Link's software, but I don't want to use such old software and I prefer OpenWrt anyways.

Kukulo I have tried to install OenConnect again, but no luck.

Here is the scrennshot from GlobalProtect, if this will give some hint to any of you:

image

The strange thing is that it SOMETIMES works, like I went to sleep, woke up and it worked. Then I restarted nootebook and boom, not working.

When I came back from eating my lunch, it worked. I was taking the screenshot to show you and I noticed, that there is a SSL protocol when it is working and IPSec when not:

image

But GlobalProtect app doesn't seem to have any setting to switch the protocol manually.

Choose the SSL connection options for the GlobalProtect app. You can opt to enforce SSL connections only, disallow SSL connections, or allow the user to choose SSL or IPSec (default) depending on geo-location and network performance to provide the best user experience.
In the App Configuration area, choose the Connect with SSL Only
options you want to allow.

source: https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-portals/define-the-globalprotect-client-authentication-configurations/customize-the-globalprotect-app.html

On the app, the user can select Settings
General
to enable Connect with SSL Only
and Settings
Connection
to verify that the Protocol
is SSL
.

When I correctly understand, you want to achieve ipsec passthrough on your router. Since I see your client software is on windows.

There are some settings on the portal's side of GlobalProtect, that affects the protocol, but I have no control over them. It appears that there is "Automatically Use SSL When IPSec Is Unreliable (hours)" set and that's why it miraculously starts working after some time.

So yes, the problem si narrowed down to not functional IPSec on the router. Can I fix it somehow?

Try to dig here: https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/firewall

I believe it must be something simpler. This page is about setting up tunnel to particular site (site to site), but other devices work without such a compicated set up.

How about this: https://forum.archive.openwrt.org/viewtopic.php?id=60492 ?

Try adding this in /etc/config/firewall and restarting the firewall:

allow IPsec/ESP and ISAKMP passthrough:

config rule
option name Allow-ESP-RFC6092
option src wan
option dest lan
option proto esp
option target ACCEPT

config rule
option name Allow-IKE-RFC6092
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT

I guess the first rule does it: option proto esp

Also here: https://oldwiki.archive.openwrt.org/doc/uci/firewall#ipsec_passthrough

Nope, no luck.

These rules should already be enabled by default:

Yes, they were enabled.

Couldn't it be something else than firewall? I have now enabled everything imaginable, but it still doesn't work.

How can I debug if the router is blocking some traffic?

IPsec setup is significantly more complicated than WireGuard or OpenVPN.
I would not recommend it unless your networking skills are high enough to set up OpenVPN site-to-site connection with closed eyes.