[Openswan Users] Trying to connect to Draytek router with IPSec
darren share
darren.share at chronos.co.uk
Tue Mar 28 06:22:57 EDT 2017
Hi,
I am running an Ubuntu VPS and I'm trying to get it to connect to a Draytek
router acting as a VPN endpoint at my office. The Draytek has several other
remote Drayteks tunnelling into it so I'm unable to change the settings at
that end.
I am trying to establish a tunnel from my VPS with no joy. I have created a
specific profile for the VPS on the Draytek. When I configure a remote
Draytek to dial-in, these are the settings that work:
PSK: XXXXXXX
IPSec Security Method: High(ESP) 3DES with Authentication
IKE Phase 1 mode: Main
IKE Phase 1 proposal: 3DES_SHA1_G2
IKE Phase 2 proposal: 3DES_SHA1
IKE Phase 1 key lifetime: 86400s
IKE Phase 2 key lifetime: 3600s
PFS: Disable
Remote Network IP: 10.0.0.0
Remote Network Mask: 255.255.0.0
Local Network IP: 10.0.10.0
Local Network Mask: 255.255.255.0
So I need to translate these into an ipsec.conf file. This is what I've got
so far:
# basic configuration
config setup
klipsdebug=all
plutodebug="control parsing"
interfaces=%defaultroute
oe=no
protostack=auto
nat_traversal=yes
syslog=syslog.debug
virtual_private=%v4:10.0.30.0/16
conn net-to-net
type=tunnel
authby=secret
auto=start
ikelifetime=86400s
keylife=3600s
left=%defaultroute
leftsourceip=<VPS IP address>
leftsubnet=10.0.30.0/24
aggrmode=no
pfs=no
right=<Draytek external address>
rightsubnet=10.0.0.0/16
# ike=3des-sha1;modp1024!
# phase2alg=3des-sha1;modp1024
With this ipsec.conf I can see packets leaving the VPS but the tunnel isn't
established:
11:19:44.577299 IP (tos 0x0, ttl 64, id 31146, offset 0, flags [DF], proto
UDP (17), length 892)
<VPS Address>.isakmp > <Draytek Address>.isakmp: [bad udp cksum 0x45dc
-> 0xb75f!] isakmp 1.0 msgid 00000000 cookie
ca837204e7654e72->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=18
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp2048)(type=keylen value=0100))
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp2048)(type=keylen value=0080))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp2048)(type=keylen value=0100))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp2048)(type=keylen value=0080))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp2048))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=3des)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp2048))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1536)(type=keylen value=0100))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1536)(type=keylen value=0080))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1536)(type=keylen value=0100))
(t: #9 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1536)(type=keylen value=0080))
(t: #10 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1536))
(t: #11 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=3des)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1536))
(t: #12 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1024)(type=keylen value=0100))
(t: #13 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1024)(type=keylen value=0080))
(t: #14 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1024)(type=keylen value=0100))
(t: #15 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1024)(type=keylen value=0080))
(t: #16 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=3des)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1024))
(t: #17 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=3des)(type=hash value=md5)(type=auth
value=preshared)(type=group desc value=modp1024))))
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
(vid: len=16 4048b7d56ebce88525e7de7f00d6c2d3)
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=16 7d9419a65310ca6f2c179d9215529d56)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
11:19:44.587902 IP (tos 0x0, ttl 242, id 12234, offset 0, flags [none],
proto UDP (17), length 156)
<Draytek Address>.isakmp > <VPS Address>.isakmp: [udp sum ok] isakmp 1.0
msgid 00000000 cookie ca837204e7654e72->7fbe6375f5b33fb0: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #0 protoid=isakmp transform=1
(t: #0 id=ike (type=lifetype value=sec)(type=lifeduration len=4
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp2048)(type=keylen value=0100))))
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
(vid: len=16 4a131c81070358455c5728f20e95452f)
11:19:44.593741 IP (tos 0x0, ttl 64, id 31147, offset 0, flags [DF], proto
UDP (17), length 384)
<VPS Address>.isakmp > <Draytek Address>.isakmp: [bad udp cksum 0x43e0
-> 0x11b3!] isakmp 1.0 msgid 00000000 cookie
ca837204e7654e72->7fbe6375f5b33fb0: phase 1 I ident:
(ke: key len=256
595c8acd4d89d45b6227a5fc86a4b9d25eb25347691f8efb331aa028d9c1d4c079c70c9ecd15303e13920ab372f37c78566f5dc288500f3f19706d9cace6290c95dcc26680c8591a88098013cd29a9b1441294f028904e111d53bd7b43baf7ad9bc1afc65adf8042429c4fd7ceeecfcc9f1a7227c2c3745d49d5e61831cd370c01003fe8eada64647fafb614095cd62c8069c1752cf17c2cf930e1a8fe77b3016c060e43c908663130ec991dd6269782b7e641c39689a8f3cc03efc3e3a7f29014580cdd709c4beefbe57c650c65440b243e5de4ef73e62d24ea102ffb85529ef7e49d17e14429ef39036756a78ce0f5148906a369937fc77a0b0982ce3b8c0f)
(nonce: n len=16 78bc2e4e5abcbd16eea158b44d49ad5f)
(pay20)
(pay20)
11:19:45.000344 IP (tos 0x0, ttl 242, id 12242, offset 0, flags [none],
proto UDP (17), length 384)
<Draytek Address>.isakmp > <VPS Address>.isakmp: [udp sum ok] isakmp 1.0
msgid 00000000 cookie ca837204e7654e72->7fbe6375f5b33fb0: phase 1 R ident:
(ke: key len=256
2c4abe9bddb4b4703a4e3f10ead0c0101acce7495bdfc53d2f6d25c196eb13d7f2b0927a948189d740bb9d438d929a68834efbc4a5f5e782712c8a8b37ed688d0fedda141f42f4ccbd9807e682d009178bdaf520867b96e86999c09b64483a04c12263841cf6ebda8cd134fb151e4e1457bc275f23255be747b9c6bf4e5023d6964036453129942cefa10e66066860d2fd7e8d8db321efb25bc77d9f36d75f9b0e2e3ed6b3d6ba1deabe1aad2b290112db1a30feb09b1807de3c65e904806e0b4a4c28d2cece5d9c903ec0bbe70755827ba2614639be5ab9572670ba1fbd63b5e0d5486d17c0f4f528b01c9b6459f48c3bffba5e9fca5abaa625234133bb4fe2)
(nonce: n len=16 3b239752301f9754b3633ba8df7b4931)
(pay20)
(pay20)
11:19:45.008153 IP (tos 0x0, ttl 64, id 31237, offset 0, flags [DF], proto
UDP (17), length 108)
<VPS Address>.ipsec-nat-t > <Draytek Address>.ipsec-nat-t: [bad udp
cksum 0x42cc -> 0xd2bc!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie
ca837204e7654e72->7fbe6375f5b33fb0: phase 1 I ident[E]: [encrypted id]
11:19:45.019147 IP (tos 0x0, ttl 242, id 12269, offset 0, flags [none],
proto UDP (17), length 108)
<Draytek Address>.ipsec-nat-t > <VPS Address>.ipsec-nat-t: [udp sum ok]
NONESP-encap: isakmp 1.0 msgid 00000000 cookie
ca837204e7654e72->7fbe6375f5b33fb0: phase 1 R ident[E]: [encrypted id]
11:19:45.019573 IP (tos 0x0, ttl 242, id 12272, offset 0, flags [none],
proto UDP (17), length 124)
<Draytek Address>.ipsec-nat-t > <VPS Address>.ipsec-nat-t: [udp sum ok]
NONESP-encap: isakmp 1.0 msgid d077cb75 cookie
08a05b41a6d3da0a->b6698ecf0753d89d: phase 2/others R inf[E]: [encrypted
hash]
11:19:45.021199 IP (tos 0x0, ttl 64, id 31239, offset 0, flags [DF], proto
UDP (17), length 108)
<VPS Address>.ipsec-nat-t > <Draytek Address>.ipsec-nat-t: [bad udp
cksum 0x42cc -> 0xd7ff!] NONESP-encap: isakmp 1.0 msgid 3a25b209 cookie
ca837204e7654e72->7fbe6375f5b33fb0: phase 2/others I inf[E]: [encrypted
hash]
I thought it might be because of the proposals so I added the ike and
phase2alg lines to ipsec.conf (that are currently commented out) but if I
uncomment them I don't see any traffic at all. The PSK has been added to
ipsec.secrets:
<VPS address> %any : PSK "XXXXXXXX"
The logging on the Draytek is non-existent so I can't see what the problem
is.
Any clue what I might be doing wrong?
Thanks.
Darren.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170328/72f7a739/attachment.html>
More information about the Users
mailing list