[Openswan Users] Roadwarrior setup to Draytek Vigor

Thorsten Meinl Thorsten.Meinl at uni-konstanz.de
Wed Feb 27 02:23:14 EST 2013 

Hi all,

I've been trying to setup a VPN connection to a Draytek Vigor router for
several days now, but with no luck. I manged to get the IPSEC connection
running (using RSA keys), but the client side cannot reach any of the
host behind the VPN gateway. When I try to reach any of those hosts, the
data is *not* going via the IPSEC tunnel but directly to nowhere via the
default route. Here is my setup:

Roadwarrior behing NAT (currently 192.168.0.11) <-->
VPN gateway (212.126.160.54) <-->
private network (172.17.17.0/24)

* Client side ipsec.conf:
config setup
        nat_traversal=yes
        oe=off
        interfaces="%defaultroute"
        protostack=netkey

conn zurich
        authby=rsasig
        pfs=no
        rekey=yes
        keyingtries=3
        type=tunnel
        left=%defaultroute
        leftprotoport=17/1701
        leftrsasigkey=%cert
        leftcert=knime-vpn.pem
        right=212.126.160.54
        rightid="C=CH, ..."
        rightprotoport=17/1701
        rightcert=knime-router.pem
        rightsubnet=172.17.17.0/24
        auto=start

* The connection is established fine:
# ipsec auto --status
...
000 #6: "zurich":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 7s; newest IPSEC; eroute owner; isakmp#5; idle;
import:admin initiate
000 #6: "zurich" esp.d5602698 at 212.126.160.54 esp.b470df2d at 192.168.0.11
tun.0 at 212.126.160.54 tun.0 at 192.168.0.11 ref=0 refhim=4294901761


* ip xfrm states and policies are set up:
# ip xfrm state
src 212.126.160.54 dst 192.168.0.11
        proto esp spi 0xedf354b0 reqid 16385 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x22909d0fa3c76f39a1d95a777edf8fb40c88d23c 96
        enc cbc(aes) 0x9616b34a4a5edcefcdb31d55df3b7f3a
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.168.0.11 dst 212.126.160.54
        proto esp spi 0xd5602699 reqid 16385 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0xae8c7253a4b2f7564c97a5f1e8208973b73cea89 96
        enc cbc(aes) 0x2421510c8ab4858ea7fb4cc5360e0693
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0

# ip xfrm policy
src 192.168.0.11/32 dst 172.17.17.0/24 proto udp sport 1701 dport 1701
        dir out priority 2088
        tmpl src 192.168.0.11 dst 212.126.160.54
                proto esp reqid 16385 mode tunnel
src 172.17.17.0/24 dst 192.168.0.11/32 proto udp sport 1701 dport 1701
        dir fwd priority 2088
        tmpl src 212.126.160.54 dst 192.168.0.11
                proto esp reqid 16385 mode tunnel
src 172.17.17.0/24 dst 192.168.0.11/32 proto udp sport 1701 dport 1701
        dir in priority 2088
        tmpl src 212.126.160.54 dst 192.168.0.11
                proto esp reqid 16385 mode tunnel

However, when I ping any of the host in the private network, e.g.
172.17.17.2 I don't see any encrypted packages in tcpdump/wireshark, but
only direct connections. In the end I get "Destination Net Unreachable"
from the roadwarriors NAT router. What I am doing wrong here?

Thanks,

Thorsten

-- 
Dr.-Ing. Thorsten Meinl               room: Z813
Nycomed Chair for Bioinformatics      fax: +49 (0)7531 88-5132
and Information Mining                phone: +49 (0)7531 88-5016
Box 712, 78457 Konstanz, Germany

More information about the Users mailing list