[Openswan Users] Openswan cannot make connection with DrayTek

Steve Leung kesteve at kesteve.com
Wed Sep 14 00:09:42 EDT 2011


Hi Nick,


Sorry for my late reply, as we had a mid-autumn festival here yesterday :)

The DrayTek will use IP address as the local ID if it's running in Main 
Mode, so it needs to be Aggressive Mode as DrayTek is using dynamic IP.

Any other ideas to make it works with Openswan in Aggressive Mode? Thank you 
so much for your help.


Best regards,
Steve


2011/9/13 Nick Howitt <n1ck.h0w1tt at gmail.com>:
>
>
> On 12/09/2011 04:29, Steve Leung wrote:
>>
>> Hi Nick,
>>
>>
>>> I use main mode with PFS rather than aggressive mode as it is more
>>> secure.
>>
>> I thought that Main Mode (PSK) must use IP Address to identify the
>> peer, is there any way to use Main Mode (PSK) with a peer using
>> dynamic IP? I know that this works if I use cert... but I'd prefer to
>> use PSK in this setup.
>
> I'm not sure I totally understand this. I use Main Mode with a PSK and a
> Draytek on a dynamic IP. If you are talking about the PSK in 
> ipsec.secrets,
> you can use IP addresses, left/rightid or %any (or leave blank which is 
> the
> same as %any). I use left/rightid. From what I have worked out there is no
> point in putting in a known value for left (IP address of leftid) then 
> %any
> for your other field as %any will apply to both ends of the connection.
>>
>>> Openswan responds correctly if you do not specify ike and phase2alg so
>>> try leaving them out if you switch to main mode. If you use aggressive 
>>> mode,
>>> don't you need to fully specify phase2alg?
>>
>> I should have already fully specified phase2alg=3ds-md5 and with
>> pfs=no, since the DrayTek was set to disable PFS so I think it's ok to
>> not specifying a modp group.
>>
> This becomes irrelevant if you switch can switch to main mode. I was just
> commenting on what the docs said.
>>>
>>> I use a rightid like you, but should not strings be preceded by an @?
>>
>> Openswan support this U-FQDN format (both preceded by @ and something
>> like a at b) without problem.
>>
> Again I was commenting on the docs. If it works (and in a router manual 
> I've
> seen you can use an e-mail address, so with @ in the middle), it works.
>>>
>>> I do not use a leftid but you may need to because you have a NAT device.
>>> You may need to set the leftid to the WAN IP of the Openswan device.
>>> auto should be "add" as right = %any. Openswan cannot initiate to a
>>> dynamic IP.
>>> I think rekey should be no as only the initiating end should start
>>> rekeying.
>>
>> Oh yes, rekey seems useless here, this is my mistake, I will correct 
>> that.
>>
> ... and "auto = add"
>>>
>>> Have you tried looking at the DrayTek logs (either with DrayTek's own
>>> tool or Wallwatcher)?
>>
>> The logs from DrayTek are nearly useless :(  It just said that it's
>> initiating IPsec in Aggressive Mode and no valuable information
>> inside.
>
> I have not looked at the logs in years and I don't have a copy of
> Wallwatcher any more, but I think Wallwatcher was a bit more informative
> (though that does not make sense as both logging programs are trapping the
> same messages)
>>
>> Best regards,
>> Steve



More information about the Users mailing list