[Openswan Users] Trying to connect to Draytek router with IPSec

darren share darren.share at chronos.co.uk
Tue Mar 28 06:22:57 EDT 2017


Hi,

I am running an Ubuntu VPS and I'm trying to get it to connect to a Draytek 
router acting as a VPN endpoint at my office. The Draytek has several other 
remote Drayteks tunnelling into it so I'm unable to change the settings at 
that end.

I am trying to establish a tunnel from my VPS with no joy. I have created a 
specific profile for the VPS on the Draytek. When I configure a remote 
Draytek to dial-in, these are the settings that work:

PSK: XXXXXXX
IPSec Security Method: High(ESP) 3DES with Authentication
IKE Phase 1 mode: Main
IKE Phase 1 proposal: 3DES_SHA1_G2
IKE Phase 2 proposal: 3DES_SHA1
IKE Phase 1 key lifetime: 86400s
IKE Phase 2 key lifetime: 3600s
PFS: Disable

Remote Network IP: 10.0.0.0
Remote Network Mask: 255.255.0.0
Local Network IP: 10.0.10.0
Local Network Mask: 255.255.255.0

So I need to translate these into an ipsec.conf file. This is what I've got 
so far:

# basic configuration
config setup
    klipsdebug=all
    plutodebug="control parsing"
    interfaces=%defaultroute
    oe=no
    protostack=auto
    nat_traversal=yes
    syslog=syslog.debug
    virtual_private=%v4:10.0.30.0/16
conn net-to-net
    type=tunnel
    authby=secret
    auto=start
    ikelifetime=86400s
    keylife=3600s
    left=%defaultroute
    leftsourceip=<VPS IP address>
    leftsubnet=10.0.30.0/24
    aggrmode=no
    pfs=no
    right=<Draytek external address>
    rightsubnet=10.0.0.0/16
#    ike=3des-sha1;modp1024!
#    phase2alg=3des-sha1;modp1024
With this ipsec.conf I can see packets leaving the VPS but the tunnel isn't 
established:

11:19:44.577299 IP (tos 0x0, ttl 64, id 31146, offset 0, flags [DF], proto 
UDP (17), length 892)
    <VPS Address>.isakmp > <Draytek Address>.isakmp: [bad udp cksum 0x45dc 
-> 0xb75f!] isakmp 1.0 msgid 00000000 cookie 
ca837204e7654e72->0000000000000000: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=18
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0100))
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0080))
            (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0100))
            (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0080))
            (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp2048))
            (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp2048))
            (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1536)(type=keylen value=0100))
            (t: #7 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1536)(type=keylen value=0080))
            (t: #8 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1536)(type=keylen value=0100))
            (t: #9 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1536)(type=keylen value=0080))
            (t: #10 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1536))
            (t: #11 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1536))
            (t: #12 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1024)(type=keylen value=0100))
            (t: #13 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1024)(type=keylen value=0080))
            (t: #14 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1024)(type=keylen value=0100))
            (t: #15 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1024)(type=keylen value=0080))
            (t: #16 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1024))
            (t: #17 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1024))))
    (vid: len=16 afcad71368a1f1c96b8696fc77570100)
    (vid: len=16 4048b7d56ebce88525e7de7f00d6c2d3)
    (vid: len=16 4a131c81070358455c5728f20e95452f)
    (vid: len=16 7d9419a65310ca6f2c179d9215529d56)
    (vid: len=16 90cb80913ebb696e086381b5ec427b1f)
    (vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
11:19:44.587902 IP (tos 0x0, ttl 242, id 12234, offset 0, flags [none], 
proto UDP (17), length 156)
    <Draytek Address>.isakmp > <VPS Address>.isakmp: [udp sum ok] isakmp 1.0 
msgid 00000000 cookie ca837204e7654e72->7fbe6375f5b33fb0: phase 1 R ident:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=1
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration len=4 
value=00015180)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0100))))
    (vid: len=16 afcad71368a1f1c96b8696fc77570100)
    (vid: len=16 4a131c81070358455c5728f20e95452f)
11:19:44.593741 IP (tos 0x0, ttl 64, id 31147, offset 0, flags [DF], proto 
UDP (17), length 384)
    <VPS Address>.isakmp > <Draytek Address>.isakmp: [bad udp cksum 0x43e0 
-> 0x11b3!] isakmp 1.0 msgid 00000000 cookie 
ca837204e7654e72->7fbe6375f5b33fb0: phase 1 I ident:
    (ke: key len=256 
595c8acd4d89d45b6227a5fc86a4b9d25eb25347691f8efb331aa028d9c1d4c079c70c9ecd15303e13920ab372f37c78566f5dc288500f3f19706d9cace6290c95dcc26680c8591a88098013cd29a9b1441294f028904e111d53bd7b43baf7ad9bc1afc65adf8042429c4fd7ceeecfcc9f1a7227c2c3745d49d5e61831cd370c01003fe8eada64647fafb614095cd62c8069c1752cf17c2cf930e1a8fe77b3016c060e43c908663130ec991dd6269782b7e641c39689a8f3cc03efc3e3a7f29014580cdd709c4beefbe57c650c65440b243e5de4ef73e62d24ea102ffb85529ef7e49d17e14429ef39036756a78ce0f5148906a369937fc77a0b0982ce3b8c0f)
    (nonce: n len=16 78bc2e4e5abcbd16eea158b44d49ad5f)
    (pay20)
    (pay20)
11:19:45.000344 IP (tos 0x0, ttl 242, id 12242, offset 0, flags [none], 
proto UDP (17), length 384)
    <Draytek Address>.isakmp > <VPS Address>.isakmp: [udp sum ok] isakmp 1.0 
msgid 00000000 cookie ca837204e7654e72->7fbe6375f5b33fb0: phase 1 R ident:
    (ke: key len=256 
2c4abe9bddb4b4703a4e3f10ead0c0101acce7495bdfc53d2f6d25c196eb13d7f2b0927a948189d740bb9d438d929a68834efbc4a5f5e782712c8a8b37ed688d0fedda141f42f4ccbd9807e682d009178bdaf520867b96e86999c09b64483a04c12263841cf6ebda8cd134fb151e4e1457bc275f23255be747b9c6bf4e5023d6964036453129942cefa10e66066860d2fd7e8d8db321efb25bc77d9f36d75f9b0e2e3ed6b3d6ba1deabe1aad2b290112db1a30feb09b1807de3c65e904806e0b4a4c28d2cece5d9c903ec0bbe70755827ba2614639be5ab9572670ba1fbd63b5e0d5486d17c0f4f528b01c9b6459f48c3bffba5e9fca5abaa625234133bb4fe2)
    (nonce: n len=16 3b239752301f9754b3633ba8df7b4931)
    (pay20)
    (pay20)
11:19:45.008153 IP (tos 0x0, ttl 64, id 31237, offset 0, flags [DF], proto 
UDP (17), length 108)
    <VPS Address>.ipsec-nat-t > <Draytek Address>.ipsec-nat-t: [bad udp 
cksum 0x42cc -> 0xd2bc!] NONESP-encap: isakmp 1.0 msgid 00000000 cookie 
ca837204e7654e72->7fbe6375f5b33fb0: phase 1 I ident[E]: [encrypted id]
11:19:45.019147 IP (tos 0x0, ttl 242, id 12269, offset 0, flags [none], 
proto UDP (17), length 108)
    <Draytek Address>.ipsec-nat-t > <VPS Address>.ipsec-nat-t: [udp sum ok] 
NONESP-encap: isakmp 1.0 msgid 00000000 cookie 
ca837204e7654e72->7fbe6375f5b33fb0: phase 1 R ident[E]: [encrypted id]
11:19:45.019573 IP (tos 0x0, ttl 242, id 12272, offset 0, flags [none], 
proto UDP (17), length 124)
    <Draytek Address>.ipsec-nat-t > <VPS Address>.ipsec-nat-t: [udp sum ok] 
NONESP-encap: isakmp 1.0 msgid d077cb75 cookie 
08a05b41a6d3da0a->b6698ecf0753d89d: phase 2/others R inf[E]: [encrypted 
hash]
11:19:45.021199 IP (tos 0x0, ttl 64, id 31239, offset 0, flags [DF], proto 
UDP (17), length 108)
    <VPS Address>.ipsec-nat-t > <Draytek Address>.ipsec-nat-t: [bad udp 
cksum 0x42cc -> 0xd7ff!] NONESP-encap: isakmp 1.0 msgid 3a25b209 cookie 
ca837204e7654e72->7fbe6375f5b33fb0: phase 2/others I inf[E]: [encrypted 
hash]

I thought it might be because of the proposals so I added the ike and 
phase2alg lines to ipsec.conf (that are currently commented out) but if I 
uncomment them I don't see any traffic at all. The PSK has been added to 
ipsec.secrets:

<VPS address>  %any  : PSK "XXXXXXXX"

The logging on the Draytek is non-existent so I can't see what the problem 
is.

Any clue what I might be doing wrong?

Thanks.

Darren.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170328/72f7a739/attachment.html>


More information about the Users mailing list