[Openswan Users] Openswan cannot make connection with DrayTek

Nick Howitt n1ck.h0w1tt at gmail.com
Wed Sep 14 14:07:00 EDT 2011


Still on Main Mode. My menus are different as the 2910 uses v3.x of
Draytek's O/S whereas my 2900 uses v2.x, but for me I go into my LAN-LAN
Profile Setup > Dial-Out Settings > Advanced. From there I can set the
LocalID and also enable PFS. For me in Openswan my rightid = @FromMum
and in the Draytek I put FromMum. My Draytek is on a nominally (as it
rarely changes) Dynamic IP as well.

I've just downloaded your manual and the option is in a similar place.



On 14/09/2011 05:09, Steve Leung wrote:
> Hi Nick,
> Sorry for my late reply, as we had a mid-autumn festival here
> yesterday :)
> The DrayTek will use IP address as the local ID if it's running in
> Main Mode, so it needs to be Aggressive Mode as DrayTek is using
> dynamic IP.
> Any other ideas to make it works with Openswan in Aggressive Mode?
> Thank you so much for your help.
> Best regards,
> Steve
> 2011/9/13 Nick Howitt <n1ck.h0w1tt at gmail.com>:
>> On 12/09/2011 04:29, Steve Leung wrote:
>>> Hi Nick,
>>>> I use main mode with PFS rather than aggressive mode as it is more
>>>> secure.
>>> I thought that Main Mode (PSK) must use IP Address to identify the
>>> peer, is there any way to use Main Mode (PSK) with a peer using
>>> dynamic IP? I know that this works if I use cert... but I'd prefer to
>>> use PSK in this setup.
>> I'm not sure I totally understand this. I use Main Mode with a PSK and a
>> Draytek on a dynamic IP. If you are talking about the PSK in
>> ipsec.secrets,
>> you can use IP addresses, left/rightid or %any (or leave blank which
>> is the
>> same as %any). I use left/rightid. From what I have worked out there
>> is no
>> point in putting in a known value for left (IP address of leftid)
>> then %any
>> for your other field as %any will apply to both ends of the connection.
>>>> Openswan responds correctly if you do not specify ike and phase2alg so
>>>> try leaving them out if you switch to main mode. If you use
>>>> aggressive mode,
>>>> don't you need to fully specify phase2alg?
>>> I should have already fully specified phase2alg=3ds-md5 and with
>>> pfs=no, since the DrayTek was set to disable PFS so I think it's ok to
>>> not specifying a modp group.
>> This becomes irrelevant if you switch can switch to main mode. I was
>> just
>> commenting on what the docs said.
>>>> I use a rightid like you, but should not strings be preceded by an @?
>>> Openswan support this U-FQDN format (both preceded by @ and something
>>> like a at b) without problem.
>> Again I was commenting on the docs. If it works (and in a router
>> manual I've
>> seen you can use an e-mail address, so with @ in the middle), it works.
>>>> I do not use a leftid but you may need to because you have a NAT
>>>> device.
>>>> You may need to set the leftid to the WAN IP of the Openswan device.
>>>> auto should be "add" as right = %any. Openswan cannot initiate to a
>>>> dynamic IP.
>>>> I think rekey should be no as only the initiating end should start
>>>> rekeying.
>>> Oh yes, rekey seems useless here, this is my mistake, I will correct
>>> that.
>> ... and "auto = add"
>>>> Have you tried looking at the DrayTek logs (either with DrayTek's own
>>>> tool or Wallwatcher)?
>>> The logs from DrayTek are nearly useless :( It just said that it's
>>> initiating IPsec in Aggressive Mode and no valuable information
>>> inside.
>> I have not looked at the logs in years and I don't have a copy of
>> Wallwatcher any more, but I think Wallwatcher was a bit more informative
>> (though that does not make sense as both logging programs are
>> trapping the
>> same messages)
>>> Best regards,
>>> Steve

More information about the Users mailing list