VPN (GlobalProtect) not working on TP-Link Archer MR200

Fido · October 4, 2020, 9:47am

Hello!

I am using OpenWrt 19.07.4 on TP-Link Archer MR200, the version from my mobile operator. The main reason for installing OpenWrt was that I wasn't able to make VPN work.

All I mean by the "VPN" is that I want to be able to connect from my notebook to my company servers. There is a software GlobalProtect running on my notebook, that usually seamlessly handles this. It simply works on every other router, but not on that MR200.

Installing OpenWrt wasn't straightforward, I bricked it, had to buy Paspberry PI and to debrick it. But thanks to the instructions from this site I made it.

But, guess what, I am still not able to connect through VPN. I have tried methods from every thread I found, but to no avail. It actually connects, but no data goes through. Sometimes it even works for short period and I can connect to company sites, but it doesn't last long.

I am really stuck here, because I am new to OpenWrt and I don't know how to debug this situation or what to look for. Maybe you could give me some advice?

Honestly, I can buy some other router that will work with default settings, but now it is matter of principle for me to manage it

kukulo · October 4, 2020, 9:53am

You will need to configure openconnect for the VPN, as this is the VPN software that currently interoperates with Globalprotect.

https://openwrt.org/docs/guide-user/services/vpn/openconnect

Fido · October 4, 2020, 9:58am

I believe that I have tried it, but will try it again, maybe I have missed something. Thank you kukulo.

bill888 · October 4, 2020, 10:14am

Quick google reveals GlobalProtect vpn perhaps uses ipsec.

fwiw, I don't know if this helps:

Fix ipsec for MR200 v1 with TPlink stock firmware, posted 2 years ago:
https://community.tp-link.com/en/home/forum/topic/89471?page=5

Fido · October 4, 2020, 10:37am

The problem is that my router is version from my mobile operator, O2, and it differs from TP-Link's version. Probably not by hardware, but the version is hardcoded somewhere, so I cannot use the original software directly. Maybe I can somehow make it work by using O2's bootloader with TP-Link's software, but I don't want to use such old software and I prefer OpenWrt anyways.

Fido · October 4, 2020, 12:06pm

Kukulo I have tried to install OenConnect again, but no luck.

Here is the scrennshot from GlobalProtect, if this will give some hint to any of you:

The strange thing is that it SOMETIMES works, like I went to sleep, woke up and it worked. Then I restarted nootebook and boom, not working.

Fido · October 4, 2020, 1:33pm

When I came back from eating my lunch, it worked. I was taking the screenshot to show you and I noticed, that there is a SSL protocol when it is working and IPSec when not:

But GlobalProtect app doesn't seem to have any setting to switch the protocol manually.

kukulo · October 4, 2020, 1:47pm

Choose the SSL connection options for the GlobalProtect app. You can opt to enforce SSL connections only, disallow SSL connections, or allow the user to choose SSL or IPSec (default) depending on geo-location and network performance to provide the best user experience.
In the App Configuration area, choose the Connect with SSL Only
options you want to allow.

source: https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-portals/define-the-globalprotect-client-authentication-configurations/customize-the-globalprotect-app.html

On the app, the user can select Settings
General
to enable Connect with SSL Only
and Settings
Connection
to verify that the Protocol
is SSL
.

When I correctly understand, you want to achieve ipsec passthrough on your router. Since I see your client software is on windows.

Fido · October 4, 2020, 2:01pm

There are some settings on the portal's side of GlobalProtect, that affects the protocol, but I have no control over them. It appears that there is "Automatically Use SSL When IPSec Is Unreliable (hours)" set and that's why it miraculously starts working after some time.

So yes, the problem si narrowed down to not functional IPSec on the router. Can I fix it somehow?

kukulo · October 4, 2020, 2:05pm

Try to dig here: https://openwrt.org/docs/guide-user/services/vpn/ipsec/strongswan/firewall

Fido · October 4, 2020, 6:11pm

I believe it must be something simpler. This page is about setting up tunnel to particular site (site to site), but other devices work without such a compicated set up.

kukulo · October 4, 2020, 6:46pm

How about this: https://forum.archive.openwrt.org/viewtopic.php?id=60492 ?

Try adding this in /etc/config/firewall and restarting the firewall:

allow IPsec/ESP and ISAKMP passthrough:

config rule
option name Allow-ESP-RFC6092
option src wan
option dest lan
option proto esp
option target ACCEPT

config rule
option name Allow-IKE-RFC6092
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT

I guess the first rule does it: option proto esp

Also here: https://oldwiki.archive.openwrt.org/doc/uci/firewall#ipsec_passthrough

Fido · October 4, 2020, 8:24pm

Nope, no luck.

vgaetera · October 4, 2020, 8:28pm

These rules should already be enabled by default:

github.com

openwrt/openwrt/blob/master/package/network/config/firewall/files/firewall.config#L117-L130


config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Fido · October 4, 2020, 8:37pm

Yes, they were enabled.

Couldn't it be something else than firewall? I have now enabled everything imaginable, but it still doesn't work.

How can I debug if the router is blocking some traffic?

vgaetera · October 4, 2020, 8:43pm

IPsec setup is significantly more complicated than WireGuard or OpenVPN.
I would not recommend it unless your networking skills are high enough to set up OpenVPN site-to-site connection with closed eyes.