Trying to make InstantGuard work!

[fearz]

I have an AC5300 - I can connect to instant guars locally but not from externally...

I followed the guide here:

[Instant Guard] How to set up Instant Guard with port forwarding under private WAN IP? | Official Support | ASUS Global

After setting up fort forwarding UDP 500,4500 to my local router IP 192.179.2.1 and try to connect via the App it says:

Termporarily unable to activate instant guard. it conflicts with port forwarding rule using UDP 500 and 4500 port. Please disable port forwarding rule in order to use IG.



So why in the article is it asking me to set port forward?

How to fix that?

 

[Kapet]

У меня есть AC5300 - я могу подключиться к мгновенным гуарам локально, но не извне ...

Я следил за руководством здесь:

[URL Unfurl = "true"] https://www.asus.com/support/FAQ/1045725/#:~:text=Set internal IP as 192.168,UDP for Instant Guard VPN. & text = rule% 20for% 20HTTPS-, Set% 20internal% 20IP% 20as% 20192.168., протокол% 20to% 20TCP% 20for% 20HTTPS. [/ URL]

После настройки форта пересылки UDP 500,4500 на IP-адрес моего локального маршрутизатора 192.179.2.1 и попытки подключиться через приложение он говорит:

Временно не может активировать мгновенную охрану. он конфликтует с правилом переадресации портов, использующим порт UDP 500 и 4500. Пожалуйста, отключите правило переадресации портов, чтобы использовать IG.



Так почему в статье меня просят настроить переадресацию порта?

Как это исправить?

The guide says:
«Your router connects to Internet through another router (here we called "the Root AP"). The Root AP assigned IP address to your router. In such case, you have to set up Port Forwarding, NAT Server, or Virtual Server on the Root AP to make Instant Guard VPN available for private IP address.".

The Root AP - is your provider's router. Make an agreement with your provider, if it works out... Or get a personal public ip address from your provider.

 

[fearz]

The guide says:
«Your router connects to Internet through another router (here we called "the Root AP"). The Root AP assigned IP address to your router. In such case, you have to set up Port Forwarding, NAT Server, or Virtual Server on the Root AP to make Instant Guard VPN available for private IP address.".

The Root AP - is your provider's router. Make an agreement with your provider, if it works out... Or get a personal public ip address from your provider.

Thank you,

Here is my Setup,

I have a modem thats connected to the AC5300 WAN interface...

I have a fixed IP set on the router 196.219.98.x
My router IP is 192.168.2.1 and has an external WAN IP of 196.219.98.x
My modem IP is 192.168.1.1

I can access both from my browser...

Where shall I set the port forwarding? if I set it on the router, i get that error message...

 

[ColinTaylor]

Where shall I set the port forwarding? if I set it on the router, i get that error message...

You shouldn't set any port forwarding because you're not using two routers.

 

[fearz]

You shouldn't set any port forwarding because you're not using two routers.

So why then it wont connect externally? it will only connect if im using Wifi of the router...

I'm going crazy!

 

[bob123456]

So why then it wont connect externally? it will only connect if im using Wifi of the router...

I'm going crazy!

Hi,
I think I can explain some of it.
In the picture from ASUS, note that the WAN ip is actually a local ip (from the root AP). That means it's using two routers, both having local ip addresses.

In your case you are actually using a proper WAN ip, going to your router with a lan ip:
My router IP is 192.168.2.1 and has an external WAN IP of 196.219.98.x
That means you only have 1 local ip address, and one WAN ip address. There is therefore no need for port forwarding.

So it would be like in the Asus demo:
Internet- Wan IP -Device A - Wan IP (which is actually a Local IP, the one from the device A) 192.168.1.100 - Device B
In your case:
Internet- Wan IP -Device A - Wan IP (which is actually a proper WAN IP) - Device B

Basically your 192.168.1.1 is irrelevant, it's the only way to connect to your device A, but it's not taken into calculation by your local network. You properly have a subnet directly connected to the internet.

That's why you do not need any port forwarding from device A to device B.

 

[bob123456]

So why then it wont connect externally?

Have you looked here:
Asus link
There's some remote options to activate.

 

[fearz]

Have you looked here:
Asus link
There's some remote options to activate.

Yep, followed every step, will only connect via LAN but not from outside,,,says your VPN did not respond....however from LAN it works perfectly.

 

[ColinTaylor]

Maybe your ISP blocks the IPSec protocols. Do you see error messages in the router's syslog when you try to connect externally?

 

[fearz]

Maybe your ISP blocks the IPSec protocols. Do you see error messages in the router's syslog when you try to connect externally?

Dec 8 04:29:13 06[NET] received packet: from 102.62.127.253[9595] to 196.219.98.28[500] (848 bytes)
Dec 8 04:29:13 06[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
Dec 8 04:29:13 06[IKE] received NAT-T (RFC 3947) vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Dec 8 04:29:13 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 8 04:29:13 06[IKE] received XAuth vendor ID
Dec 8 04:29:13 06[IKE] received Cisco Unity vendor ID
Dec 8 04:29:13 06[IKE] received FRAGMENTATION vendor ID
Dec 8 04:29:13 06[IKE] received DPD vendor ID
Dec 8 04:29:13 06[IKE] 102.62.127.253 is initiating a Main Mode IKE_SA
Dec 8 04:29:13 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 8 04:29:13 06[ENC] generating ID_PROT response 0 [ SA V V V V V ]
Dec 8 04:29:13 06[NET] sending packet: from 196.219.98.28[500] to 102.62.127.253[9595] (180 bytes)
Dec 8 04:29:43 07[JOB] deleting half open IKE_SA with 102.62.127.253 after timeout

 

[bob123456]

Hi, not sure if you use IKEV1 or V2, I read it might be easier with v2:

How to manually configure IKEv2 VPN on iOS?

@XIII Bump: Great that mobileconfig profiles are working for you... I am trying to do the same, creating a mobileconfig and then signing. - Can you please provide details as to how you are creating the mobileconfig file? - I have tried endlessly; but not succeeding... - Are you importing the...

www.snbforums.com

It seems due to this log: " deleting half open IKE_SA " that some packet is lost.

I read and it actually seems your Instantguard uses Strongswans implementation of IPSec/IKEv2.
If you can configure that, would be good to show/share the settings.

Probably something in the router, are you using upnp?