[Openswan Users] Openswan cannot make connection with DrayTek

[Nick Howitt]

Steve,

Still on Main Mode. My menus are different as the 2910 uses v3.x of
Draytek's O/S whereas my 2900 uses v2.x, but for me I go into my LAN-LAN
Profile Setup > Dial-Out Settings > Advanced. From there I can set the
LocalID and also enable PFS. For me in Openswan my rightid = @FromMum
and in the Draytek I put FromMum. My Draytek is on a nominally (as it
rarely changes) Dynamic IP as well.

I've just downloaded your manual and the option is in a similar place.

Regards,

Nick

On 14/09/2011 05:09, Steve Leung wrote:
> Hi Nick,
>
>
> Sorry for my late reply, as we had a mid-autumn festival here
> yesterday :)
>
> The DrayTek will use IP address as the local ID if it's running in
> Main Mode, so it needs to be Aggressive Mode as DrayTek is using
> dynamic IP.
>
> Any other ideas to make it works with Openswan in Aggressive Mode?
> Thank you so much for your help.
>
>
> Best regards,
> Steve
>
>
> 2011/9/13 Nick Howitt <n1ck.h0w1tt at gmail.com>:
>>
>>
>> On 12/09/2011 04:29, Steve Leung wrote:
>>>
>>> Hi Nick,
>>>
>>>
>>>> I use main mode with PFS rather than aggressive mode as it is more
>>>> secure.
>>>
>>> I thought that Main Mode (PSK) must use IP Address to identify the
>>> peer, is there any way to use Main Mode (PSK) with a peer using
>>> dynamic IP? I know that this works if I use cert... but I'd prefer to
>>> use PSK in this setup.
>>
>> I'm not sure I totally understand this. I use Main Mode with a PSK and a
>> Draytek on a dynamic IP. If you are talking about the PSK in
>> ipsec.secrets,
>> you can use IP addresses, left/rightid or %any (or leave blank which
>> is the
>> same as %any). I use left/rightid. From what I have worked out there
>> is no
>> point in putting in a known value for left (IP address of leftid)
>> then %any
>> for your other field as %any will apply to both ends of the connection.
>>>
>>>> Openswan responds correctly if you do not specify ike and phase2alg so
>>>> try leaving them out if you switch to main mode. If you use
>>>> aggressive mode,
>>>> don't you need to fully specify phase2alg?
>>>
>>> I should have already fully specified phase2alg=3ds-md5 and with
>>> pfs=no, since the DrayTek was set to disable PFS so I think it's ok to
>>> not specifying a modp group.
>>>
>> This becomes irrelevant if you switch can switch to main mode. I was
>> just
>> commenting on what the docs said.
>>>>
>>>> I use a rightid like you, but should not strings be preceded by an @?
>>>
>>> Openswan support this U-FQDN format (both preceded by @ and something
>>> like a at b) without problem.
>>>
>> Again I was commenting on the docs. If it works (and in a router
>> manual I've
>> seen you can use an e-mail address, so with @ in the middle), it works.
>>>>
>>>> I do not use a leftid but you may need to because you have a NAT
>>>> device.
>>>> You may need to set the leftid to the WAN IP of the Openswan device.
>>>> auto should be "add" as right = %any. Openswan cannot initiate to a
>>>> dynamic IP.
>>>> I think rekey should be no as only the initiating end should start
>>>> rekeying.
>>>
>>> Oh yes, rekey seems useless here, this is my mistake, I will correct
>>> that.
>>>
>> ... and "auto = add"
>>>>
>>>> Have you tried looking at the DrayTek logs (either with DrayTek's own
>>>> tool or Wallwatcher)?
>>>
>>> The logs from DrayTek are nearly useless :( It just said that it's
>>> initiating IPsec in Aggressive Mode and no valuable information
>>> inside.
>>
>> I have not looked at the logs in years and I don't have a copy of
>> Wallwatcher any more, but I think Wallwatcher was a bit more informative
>> (though that does not make sense as both logging programs are
>> trapping the
>> same messages)
>>>
>>> Best regards,
>>> Steve
>