DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
IPSec VPN (Draytek 2820 to MikroTik)
- gman_uk
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
13 Feb 2010 02:32 #60504
by gman_uk
IPSec VPN (Draytek 2820 to MikroTik) was created by gman_uk
Help please!
I'm trying to configure an IPSec VPN on a Draytek Vigor 2820 that's connecting to a MikroTik router at the remote end. I've configured a LAN to LAN profile but the VPN will not come up. I understand the principals of VPN but I'm not experienced enough to troubleshoot it.
Firstly, would someone confirm if I need to concern myself with configuration of the IPSec General Settings when using a LAN to LAN profile.
Also could someone check my configuration (as detailed below) to see if there are any obvious mistakes based on the vpn configuration I was given by staff at remote end.
VPN PARAMS:
Phase 1
protocol Esp
exchange mode main
hashing algo md5
encryptio9n algo 3des
DH group 1
life time 28800
Phase 2
encapsulation mode Tunnel
encryption algo 3des
hashing algo md5
perfect forward secrecy None
life time 28800
CONFIG ON DRAYTEK
1. Common Settings
Profile = ENABLED
Call direction = DIAL OUT
Netbios Naming Packet = PASS
Multicast via VPN = BLOCK
2. Dial-Out Settings
Type of server = IPSEC TUNNEL
Server IP/Host Name for VPN = MIKROTIK PUBLIC IP
IKE Authentication Method
PRE-SHARED KEY ENTERED
IPSec Security Method
HIGH (ESP) - 3DES WITHOUT AUTHENTICATION
IKE advanced settings
IKE phase 1 mode = MAIN
IKE phase 1 proposal = 3DES_MD5_G1
IKE phase 2 proposal = 3DES
IKE phase 1 & 2 lifetime = 28800
Perfect Forward Secret = DISABLED
3 - Dial-In Settings
N/A - Call direction set to DIAL OUT (as above)
4 - TCP/IP Network Settings
My WAN IP = 0.0.0.0
Remote Gateway IP = 0.0.0.0
Remote Network IP = REMOTE NETWORK ID
Remote Network Mask = REMOTE NETWORK SUBNET
RIP Direction = DISABLED
From first subnet to remote network, you have to do = ROUTE
Advance thanks for your time and assistance
I'm trying to configure an IPSec VPN on a Draytek Vigor 2820 that's connecting to a MikroTik router at the remote end. I've configured a LAN to LAN profile but the VPN will not come up. I understand the principals of VPN but I'm not experienced enough to troubleshoot it.
Firstly, would someone confirm if I need to concern myself with configuration of the IPSec General Settings when using a LAN to LAN profile.
Also could someone check my configuration (as detailed below) to see if there are any obvious mistakes based on the vpn configuration I was given by staff at remote end.
VPN PARAMS:
Phase 1
protocol Esp
exchange mode main
hashing algo md5
encryptio9n algo 3des
DH group 1
life time 28800
Phase 2
encapsulation mode Tunnel
encryption algo 3des
hashing algo md5
perfect forward secrecy None
life time 28800
CONFIG ON DRAYTEK
1. Common Settings
Profile = ENABLED
Call direction = DIAL OUT
Netbios Naming Packet = PASS
Multicast via VPN = BLOCK
2. Dial-Out Settings
Type of server = IPSEC TUNNEL
Server IP/Host Name for VPN = MIKROTIK PUBLIC IP
IKE Authentication Method
PRE-SHARED KEY ENTERED
IPSec Security Method
HIGH (ESP) - 3DES WITHOUT AUTHENTICATION
IKE advanced settings
IKE phase 1 mode = MAIN
IKE phase 1 proposal = 3DES_MD5_G1
IKE phase 2 proposal = 3DES
IKE phase 1 & 2 lifetime = 28800
Perfect Forward Secret = DISABLED
3 - Dial-In Settings
N/A - Call direction set to DIAL OUT (as above)
4 - TCP/IP Network Settings
My WAN IP = 0.0.0.0
Remote Gateway IP = 0.0.0.0
Remote Network IP = REMOTE NETWORK ID
Remote Network Mask = REMOTE NETWORK SUBNET
RIP Direction = DISABLED
From first subnet to remote network, you have to do = ROUTE
Advance thanks for your time and assistance
Please Log in or Create an account to join the conversation.
- gman_uk
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
13 Feb 2010 14:31 #60509
by gman_uk
Replied by gman_uk on topic Active Link
Success!!
FYI - I managed to obtain admin access to Mikrotik and changed mode from Main to Aggressive and the link came up.
FYI - I managed to obtain admin access to Mikrotik and changed mode from Main to Aggressive and the link came up.
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
13 Feb 2010 17:52 #60513
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic IPSec VPN (Draytek 2820 to MikroTik)
If you can change it back, it is better for security. Also look at enabling PFS.
On the Vigor, did you try playing with the IPSec Security Method (with/without authentication). Also did you get syslog running and see its output?
On the Vigor, did you try playing with the IPSec Security Method (with/without authentication). Also did you get syslog running and see its output?
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- gman_uk
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
13 Feb 2010 21:27 #60517
by gman_uk
Replied by gman_uk on topic vpn
Thanks for your reply.
I did try 3DES with and without authentication under IPSec Security method but this had no effect.
I have set up a syslog server for the Draytek but I'm unable to view this until I'm back in the office on Monday morning.
FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).
I did try 3DES with and without authentication under IPSec Security method but this had no effect.
I have set up a syslog server for the Draytek but I'm unable to view this until I'm back in the office on Monday morning.
FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
13 Feb 2010 21:43 #60518
by njh
The 2820 had hardware encryption for both 3DES and AES so the processing overhead is pretty low. If you look
here
the 2820 series has a rated throughput of 20Mbps. This will massively exceed your adsl upload rate.
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic Re: vpn
FYI we're using the VPN to route data for 10 soft phones installed at the remote end that will connect to our PBX so I am a little concerned about the overhead of too much encryption (ie. any latency this may cause the voice).gman_uk wrote:
The 2820 had hardware encryption for both 3DES and AES so the processing overhead is pretty low. If you look
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- gman_uk
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
16 Feb 2010 13:44 #60557
by gman_uk
Replied by gman_uk on topic vpn
OK just to recap its using settings as above but I've changed it from MAIN to aggressive mode.
The draytek now shows a vpn connection under connection management but it appears that we are only transmitting data and not recieving any as there are no stats for RX rate or packets.
The MikroTik log shows an error with decrypted packet but I've copied in both logs as below. Any suggestions here?
Here is the log from daytek:
192.168.1.7 02/16/10 12:36:40 02/16/10 12:36:47 local 1 Notice Vigor "sent QI2, IPsec SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Cleint L2L remote network setting is 192.168.0.0/24"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Start IKE Quick Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "sent AI2, ISAKMP SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Initiating IKE Aggressive Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Dialing Node1 (LahoreNew) : 203.175.74.251"
On the MikroTik the log shows:
received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase1, aggressive
responding phase 1, starting mode Agggresive
received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase 1, aggressive
ISAKMP SA established
received ISAKMP packet from xxx.xxx.xxx.xxx:500 phase2, quick
responding phase2
received ISAKMP packet from xxxx.xxx.xxx.xxx:500 phase2, quick
decrypted packet did not match policy
The draytek now shows a vpn connection under connection management but it appears that we are only transmitting data and not recieving any as there are no stats for RX rate or packets.
The MikroTik log shows an error with decrypted packet but I've copied in both logs as below. Any suggestions here?
Here is the log from daytek:
192.168.1.7 02/16/10 12:36:40 02/16/10 12:36:47 local 1 Notice Vigor "sent QI2, IPsec SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Cleint L2L remote network setting is 192.168.0.0/24"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Start IKE Quick Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "sent AI2, ISAKMP SA established with 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Initiating IKE Aggressive Mode to 203.175.74.251"
192.168.1.7 02/16/10 12:36:39 02/16/10 12:36:46 local 1 Notice Vigor "Dialing Node1 (LahoreNew) : 203.175.74.251"
On the MikroTik the log shows:
received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase1, aggressive
responding phase 1, starting mode Agggresive
received ISAKMP packet from xxx.xxx.xxx.xxx:500, phase 1, aggressive
ISAKMP SA established
received ISAKMP packet from xxx.xxx.xxx.xxx:500 phase2, quick
responding phase2
received ISAKMP packet from xxxx.xxx.xxx.xxx:500 phase2, quick
decrypted packet did not match policy
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek