[Openswan Users] IPSec config and passthrough on Draytek 2820n

Paul Overton paul at trusted-management.com
Fri Jan 11 06:09:19 EST 2013


I can think of a number of reasons why you would not necessarily wish to terminate a VPN on a Draytek router. Mostly down to reliability although I agree that the interoperability is good with OpenSwan.

You do not need to use IPsec passthrough, but you will need to switch off the IPsec functions of the Draytek router if you are using nated address space. NAT-t (encap) will work correctly so long as the Draytek does not own port 4500.

Regards Paul

-----Original Message-----
From: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] On Behalf Of Nick Howitt
Sent: 10 January 2013 18:22
To: Daniel Cave
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] IPSec config and passthrough on Draytek 2820n

Can I ask a stupid question? Why are you not terminating the IPSec in the 2820n? It is a great little router. Configure it with ESP with Encryption and Authentication, AES256/DH14, PFS and it will interoperate fine with Openswan.

Anyway, back to your question. I believe a blank line marks the end of a conn so it is not seeing your last four parameters. In the same way something at the beginning of the line marks a new conn - even if it is a #. An indented # will comment out a parameter OK.

Regards,

Nick

On 09/01/2013 22:43, Daniel Cave wrote:
> Hi there ipsec'ers
>
> I've been playing with a two host config
>
> IPsec box 1: hostname FCS01 (on internet)
>
> Internet IP Address.
> Local ip 10.49.73.1/24
> Centos 5.8.  Linux Openswan U2.6.38/K2.6.18-308.4.1.el5debug (netkey)
>
>
> It also has two other IPsec connections (another openSwan net and a net gear wifi router ipsec networks so I can ping the other two endpoints.)  - this is my 'hub'
>
> Ipsec box 2 - hostname centos62.
>
> @Home - CentOS 6.2 sat behind a Draytek 2820n running Linux Openswan
> U2.6.32/K2.6.32-220.el6.x86_64 (netkey) on the same lan.
> 192.168.72.0/24
>
> I have setup port forwarding on my 2820 to forward UDP 500/4500 to the swan box.
>
> When i set the respective configs, on Swan and fcs01 to bring up the tunnel at both ends,  and they run up and i get this on both endpoints.
>
> on fcs01 -
>
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: responding to Main
> Mode Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from
> state STATE_MAIN_R0 to state STATE_MAIN_R1 Jan  9 22:22:48 fcs01
> pluto[16053]: "swan" #25: STATE_MAIN_R1: sent MR1, expecting MI2 Jan
> 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2 Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R2: sent MR2, expecting MI3 Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3 Jan  9 22:22:48 fcs01
> pluto[16053]: "swan" #25: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536} Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: the peer proposed: 10.49.73.0/24:0/0 -> 192.168.72.0/24:0/0 Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: responding to Quick Mode proposal {msgid:815f1190}
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26:     us: 10.49.73.0/24===xx..233.50.68
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26:   them: xxx.155.56.206<xx.155.56.206>===192.168.72.0/24
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state
> STATE_QUICK_R0 to state STATE_QUICK_R1 Jan  9 22:22:48 fcs01
> pluto[16053]: "swan" #26: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2 Jan  9 22:22:48 fcs01 pluto[16053]: "swan"
> #26: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jan
> 9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R2: IPsec SA
> established tunnel mode {ESP=>0xb4f4c8de <0xa17e4de8
> xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> [root at fcs01 ~]# Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24:
> ignoring unknown Vendor ID payload [4f4568794c64414365636661] Jan  9
> 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload
> [Dead Peer Detection] Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24:
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan  9
> 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I2: sent MI2,
> expecting MR2 Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24:
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I3: sent MI3, expecting MR3 Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [CAN-IKEv2] Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4 Jan  9 22:23:10 fcs01
> pluto[16053]: "swan" #24: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1536} Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #27:
> initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
> {using isakmp#24 msgid:dccc3a97 proposal=3DES(3)_192-SHA1(2)_160,
> DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536} Jan  9 22:23:10
> fcs01 pluto[16053]: "swan" #27: transition from state STATE_QUICK_I1
> to state STATE_QUICK_I2 Jan  9 22:23:10 fcs01 pluto[16053]: "swan"
> #27: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x6335e9b5 <0xb9337ef3 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
> On Centos62/swan, i see this
>
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: ignoring unknown
> Vendor ID payload [4f4576795c6b677a57715c73] Jan  9 22:24:27 centos62
> pluto[32740]: "fcs01" #1: received Vendor ID payload [Dead Peer
> Detection] Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1:
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan  9
> 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2 Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1:
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [CAN-IKEv2] Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from
> state STATE_MAIN_I3 to state STATE_MAIN_I4 Jan  9 22:24:27 centos62
> pluto[32740]: "fcs01" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1536} Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #2:
> initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
> {using isakmp#1 msgid:815f1190 proposal=3DES(3)_192-SHA1(2)_160,
> DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536} Jan  9 22:24:27
> centos62 pluto[32740]: "fcs01" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2 Jan  9 22:24:27 centos62
> pluto[32740]: "fcs01" #2: STATE_QUICK_I2: sent QI2, IPsec SA
> established tunnel mode {ESP=>0xa17e4de8 <0xb4f4c8de
> xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> What do these mean?
>
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500:
> ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73] Jan  9
> 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received
> Vendor ID payload [Dead Peer Detection] Jan  9 22:24:49 centos62
> pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload
> [RFC 3947] meth=109, but port floating is off Jan  9 22:24:49 centos62
> pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off Jan
> 9 22:24:49 centos62 pluto[32740]: packet from xx.xxx.50.68:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but port floating is off Jan  9 22:24:49 centos62 pluto[32740]: packet
> from xx.xx.50.68:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off Jan
> 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: responding to Main
> Mode Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jan  9 22:24:49
> centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R1: sent MR1, expecting
> MI2 Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2 Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R2: sent MR2, expecting MI3 Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3 Jan  9 22:24:49 centos62
> pluto[32740]: "fcs01" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536} Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: the peer proposed: 192.168.72.0/24:0/0 -> 10.49.73.0/24:0/0 Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: responding to Quick Mode proposal {msgid:dccc3a97}
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4:     us: 192.168.72.0/24===192.168.72.69[xx.xx.56.206,+S=C]
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4:   them: xxx.xxx.50.68<xxx.xxx.50.68>[+S=C]===10.49.73.0/24
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: keeping
> refhim=4294901761 during rekey Jan  9 22:24:49 centos62 pluto[32740]:
> "fcs01" #4: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1 Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from
> state STATE_QUICK_R1 to state STATE_QUICK_R2 Jan  9 22:24:49 centos62
> pluto[32740]: "fcs01" #4: STATE_QUICK_R2: IPsec SA established tunnel
> mode {ESP=>0xb9337ef3 <0x6335e9b5 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
>
> I know the port forwarding is fine on the router as I use net cat
> pushing the udp ports 500/4500 as i see the net cat probe from i run
> from fcs01 to the public static ip i have on my home
>
> # tcpdump -lnni  eth0 port 500
>   tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 22:22:31.893797 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:31.893859 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:32.895488 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:33.896155 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:34.897823 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
>
> [root at centos62 ~]# tcpdump -lnni  eth0 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 22:23:19.926083 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:19.926142 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:20.926243 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:21.927177 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:22.928614 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
>
> The problem Im having is that I cannot ping  192.168.72.69 from fcs01
> and vica versa,  (like I can with my other connections)
>
> I also don't believe I understand whether I should be using nat-traversal, as I've tried on both sides as I've tried :-/   Also have dropped the firewall rules on both linux hosts and reinitiated the tunnels but nothing changes.
>
> Ive copied the config from one of my other openswan linux hosts and just modified the right hand side IP/networks to accommodate this connection.
>
> I've also been able to terminate an ipsec tunnel from fcs01 on my draytek 2820n  without any issues.
>
> HAs someone come across this config before and point whether they can see a problem.
>
> Configs below
>
> (cents box being draytek @ home )
>
> [root at centos62 ipsec.d]# cat fcs01.conf # basic configuration #config
> setup
> #    interfaces=eth0
> #    nat_traversal=yes
> #    oe=no
> #    protostack=netkey
> #   syslog=syslog.debug
>
> conn fcs01
>      type=tunnel
>      connaddrfamily=ipv4
>      authby=secret
>      auto=start
>      #auto=route
>      compress=no
>      ike=3des-sha1,des-md5
>      phase2alg=3des-sha1,des-md5
>      phase2=esp
>      ikelifetime=3600s
>      keyexchange=ike
>      keylife=28800s
>      keyingtries=%forever
>      left=%defaultroute
>      leftid=xx.xx.56.206
>      leftsourceip=192.168.72.69
>      leftsubnet=192.168.72.0/24
>      pfs=yes
>      #dpdaction=restart
>      #dpdtimeout=30
>      #dpddelay=120
>
>      right=xx.xx.50.68
>      rightsourceip=10.49.73.1
>      rightid=xx.xx.50.68
>      rightsubnet=10.49.73.0/24
>
> [root at fcs01 ipsec.d]# cat swan.conf
> # basic configuration
> #config setup
> #    interfaces=eth0
> #    oe=no
> ##    protostack=netkey
> #    syslog=syslog.debug
>      virtual_private=%v4:10.49.73.0/24,%v4:192.168.72.0/24
>
> conn swan
>      type=tunnel
>      connaddrfamily=ipv4
>      authby=secret
>      auto=start
>      #auto=route
>      compress=no
>      ike=3des-sha1,des-md5
>      phase2alg=3des-sha1,des-md5
>      phase2=esp
>      ikelifetime=3600s
>      keyexchange=ike
>      keylife=28800s
>      keyingtries=%forever
>      left=%defaultroute
>      leftsourceip=10.49.73.1
>      leftid=xx.x.50.68
>      leftsubnet=10.49.73.0/24
>      pfs=yes
> #    dpdaction=restart
>   #   dpdtimeout=30
>    #  dpddelay=120
>
>      right=xx.xx.56.206
>      rightid=xx.xx.56.206
>      rightsourceip=192.168.72.69
>      rightsubnet=192.168.72.0/24
>
>
> Any ideas? Thanks in advance
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
> 55

_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.



More information about the Users mailing list