Help please!

I'm trying to configure an IPSec VPN on a Draytek Vigor 2820 that's connecting to a MikroTik router at the remote end. I've configured a LAN to LAN profile but the VPN will not come up. I understand the principals of VPN but I'm not experienced enough to troubleshoot it.

Firstly, would someone confirm if I need to concern myself with configuration of the IPSec General Settings when using a LAN to LAN profile.

Also could someone check my configuration (as detailed below) to see if there are any obvious mistakes based on the vpn configuration I was given by staff at remote end.

VPN PARAMS:
Phase 1
protocol Esp
exchange mode main
hashing algo md5
encryptio9n algo 3des
DH group 1
life time 28800

Phase 2
encapsulation mode Tunnel
encryption algo 3des
hashing algo md5
perfect forward secrecy None
life time 28800

CONFIG ON DRAYTEK

1. Common Settings

Profile = ENABLED
Call direction = DIAL OUT
Netbios Naming Packet = PASS
Multicast via VPN = BLOCK

2. Dial-Out Settings

Type of server = IPSEC TUNNEL
Server IP/Host Name for VPN = MIKROTIK PUBLIC IP

IKE Authentication Method
PRE-SHARED KEY ENTERED
IPSec Security Method
HIGH (ESP) - 3DES WITHOUT AUTHENTICATION

IKE advanced settings
IKE phase 1 mode = MAIN
IKE phase 1 proposal = 3DES_MD5_G1
IKE phase 2 proposal = 3DES
IKE phase 1 & 2 lifetime = 28800
Perfect Forward Secret = DISABLED

3 - Dial-In Settings

N/A - Call direction set to DIAL OUT (as above)

4 - TCP/IP Network Settings
My WAN IP = 0.0.0.0
Remote Gateway IP = 0.0.0.0
Remote Network IP = REMOTE NETWORK ID
Remote Network Mask = REMOTE NETWORK SUBNET

RIP Direction = DISABLED
From first subnet to remote network, you have to do = ROUTE

Advance thanks for your time and assistance

Success!!

FYI - I managed to obtain admin access to Mikrotik and changed mode from Main to Aggressive and the link came up.

If you can change it back, it is better for security. Also look at enabling PFS.

On the Vigor, did you try playing with the IPSec Security Method (with/without authentication). Also did you get syslog running and see its output?

Thanks for your reply.

I did try 3DES with and without authentication under IPSec Security method but this had no effect.

I have set up a syslog server for the Draytek but I'm unable to view this until I'm back in the office on Monday morning.

FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).

gman_uk wrote: FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).

The 2820 had hardware encryption for both 3DES and AES so the processing overhead is pretty low. If you look here the 2820 series has a rated throughput of 20Mbps. This will massively exceed your adsl upload rate.

OK just to recap its using settings as above but I've changed it from MAIN to aggressive mode.

The draytek now shows a vpn connection under connection management but it appears that we are only transmitting data and not recieving any as there are no stats for RX rate or packets.

The MikroTik log shows an error with decrypted packet but I've copied in both logs as below. Any suggestions here?

Here is the log from daytek:

192.168.1.7 02/16/10 12:36:40 02/16/10 12:36:47 local 1 Notice Vigor "sent QI2, IPsec SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Cleint L2L remote network setting is 192.168.0.0/24"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Start IKE Quick Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "sent AI2, ISAKMP SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Initiating IKE Aggressive Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Dialing Node1 (LahoreNew) : 203.175.74.251"

On the MikroTik the log shows:

received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase1, aggressive
responding phase 1, starting mode Agggresive
received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase 1, aggressive
ISAKMP SA established
received ISAKMP packet from xxx.xxx.xxx.xxx:500 phase2, quick
responding phase2
received ISAKMP packet from xxxx.xxx.xxx.xxx:500 phase2, quick
decrypted packet did not match policy