DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

IPSec VPN (Draytek 2820 to MikroTik)

  • gman_uk
  • Topic Author
  • Offline
  • New Member
  • New Member
More
13 Feb 2010 02:32 #60504 by gman_uk
IPSec VPN (Draytek 2820 to MikroTik) was created by gman_uk
Help please!

I'm trying to configure an IPSec VPN on a Draytek Vigor 2820 that's connecting to a MikroTik router at the remote end. I've configured a LAN to LAN profile but the VPN will not come up. I understand the principals of VPN but I'm not experienced enough to troubleshoot it.

Firstly, would someone confirm if I need to concern myself with configuration of the IPSec General Settings when using a LAN to LAN profile.

Also could someone check my configuration (as detailed below) to see if there are any obvious mistakes based on the vpn configuration I was given by staff at remote end.

VPN PARAMS:
Phase 1
protocol Esp
exchange mode main
hashing algo md5
encryptio9n algo 3des
DH group 1
life time 28800

Phase 2
encapsulation mode Tunnel
encryption algo 3des
hashing algo md5
perfect forward secrecy None
life time 28800

CONFIG ON DRAYTEK

1. Common Settings

Profile = ENABLED
Call direction = DIAL OUT
Netbios Naming Packet = PASS
Multicast via VPN = BLOCK

2. Dial-Out Settings

Type of server = IPSEC TUNNEL
Server IP/Host Name for VPN = MIKROTIK PUBLIC IP

IKE Authentication Method
PRE-SHARED KEY ENTERED
IPSec Security Method
HIGH (ESP) - 3DES WITHOUT AUTHENTICATION

IKE advanced settings
IKE phase 1 mode = MAIN
IKE phase 1 proposal = 3DES_MD5_G1
IKE phase 2 proposal = 3DES
IKE phase 1 & 2 lifetime = 28800
Perfect Forward Secret = DISABLED

3 - Dial-In Settings

N/A - Call direction set to DIAL OUT (as above)

4 - TCP/IP Network Settings
My WAN IP = 0.0.0.0
Remote Gateway IP = 0.0.0.0
Remote Network IP = REMOTE NETWORK ID
Remote Network Mask = REMOTE NETWORK SUBNET

RIP Direction = DISABLED
From first subnet to remote network, you have to do = ROUTE

Advance thanks for your time and assistance

Please Log in or Create an account to join the conversation.

  • gman_uk
  • Topic Author
  • Offline
  • New Member
  • New Member
More
13 Feb 2010 14:31 #60509 by gman_uk
Replied by gman_uk on topic Active Link
Success!!

FYI - I managed to obtain admin access to Mikrotik and changed mode from Main to Aggressive and the link came up.

Please Log in or Create an account to join the conversation.

More
13 Feb 2010 17:52 #60513 by njh
Replied by njh on topic IPSec VPN (Draytek 2820 to MikroTik)
If you can change it back, it is better for security. Also look at enabling PFS.

On the Vigor, did you try playing with the IPSec Security Method (with/without authentication). Also did you get syslog running and see its output?

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • gman_uk
  • Topic Author
  • Offline
  • New Member
  • New Member
More
13 Feb 2010 21:27 #60517 by gman_uk
Replied by gman_uk on topic vpn
Thanks for your reply.

I did try 3DES with and without authentication under IPSec Security method but this had no effect.

I have set up a syslog server for the Draytek but I'm unable to view this until I'm back in the office on Monday morning.

FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).

Please Log in or Create an account to join the conversation.

More
13 Feb 2010 21:43 #60518 by njh
Replied by njh on topic Re: vpn

gman_uk wrote: FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).


The 2820 had hardware encryption for both 3DES and AES so the processing overhead is pretty low. If you look here the 2820 series has a rated throughput of 20Mbps. This will massively exceed your adsl upload rate.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • gman_uk
  • Topic Author
  • Offline
  • New Member
  • New Member
More
16 Feb 2010 13:44 #60557 by gman_uk
Replied by gman_uk on topic vpn
OK just to recap its using settings as above but I've changed it from MAIN to aggressive mode.

The draytek now shows a vpn connection under connection management but it appears that we are only transmitting data and not recieving any as there are no stats for RX rate or packets.

The MikroTik log shows an error with decrypted packet but I've copied in both logs as below. Any suggestions here?

Here is the log from daytek:

192.168.1.7 02/16/10 12:36:40 02/16/10 12:36:47 local 1 Notice Vigor "sent QI2, IPsec SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Cleint L2L remote network setting is 192.168.0.0/24"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Start IKE Quick Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "sent AI2, ISAKMP SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Initiating IKE Aggressive Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Dialing Node1 (LahoreNew) : 203.175.74.251"

On the MikroTik the log shows:

received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase1, aggressive
responding phase 1, starting mode Agggresive
received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase 1, aggressive
ISAKMP SA established
received ISAKMP packet from xxx.xxx.xxx.xxx:500 phase2, quick
responding phase2
received ISAKMP packet from xxxx.xxx.xxx.xxx:500 phase2, quick
decrypted packet did not match policy

Please Log in or Create an account to join the conversation.

Moderators: Sami