DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Draytek to Draytek VPN issue
- thirst4knowledge
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 27
- Thank you received: 0
20 Feb 2010 17:35 #60655
by thirst4knowledge
sure,
Both Sides are using:
Always On
Preshared Key
ESP
NAT Traversal
Local Gateway:
WAN Interface : WAN3
Security Gateway : 1.1.1.3
3des Md5
next default IP / subnet mask: 192.168.10.0/24
Next hop: default
Remote Gateway[/b]
DHCP-over-IP: OFF
Security Gateway: 1.1.1.1
Network IP /Subnet Mask: 192.168.20/24
Advanced settings:
IKE Phase 1
Mode Main
peer ID: 3 (this is automatically generated)
Key Lifetime:15 minutes
Proposal: 3des-md5-modp768 3des-md5-modp1024 3des-md5-modp1536 3des-md5-modp1024
Ike Phase2(quick mode)
Key Lietime 1140 Minutes
Proposal: 3des-md5 3des 3des-sha1 3des-sha1 3des-sha1
PFS: NO
Dead Peer detection: Disabled
Obviously remote fateway IP's are swaped each side......You need anything else ?
Replied by thirst4knowledge on topic Draytek to Draytek VPN issue
As you have a private IP triggering a VPN initiation, is the remote end set up for VPN passthrough?NJH wrote:
BTW, I've no idea how to read the log files so I am only looking for something which catches my eye.
Please can you post your LAN-LAN settings?
sure,
Both Sides are using:
Always On
Preshared Key
ESP
NAT Traversal
Local Gateway:
WAN Interface : WAN3
Security Gateway : 1.1.1.3
3des Md5
next default IP / subnet mask: 192.168.10.0/24
Next hop: default
Remote Gateway[/b]
DHCP-over-IP: OFF
Security Gateway: 1.1.1.1
Network IP /Subnet Mask: 192.168.20/24
Advanced settings:
IKE Phase 1
Mode Main
peer ID: 3 (this is automatically generated)
Key Lifetime:15 minutes
Proposal: 3des-md5-modp768 3des-md5-modp1024 3des-md5-modp1536 3des-md5-modp1024
Ike Phase2(quick mode)
Key Lietime 1140 Minutes
Proposal: 3des-md5 3des 3des-sha1 3des-sha1 3des-sha1
PFS: NO
Dead Peer detection: Disabled
Obviously remote fateway IP's are swaped each side......You need anything else ?
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
20 Feb 2010 20:47 #60661
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic Draytek to Draytek VPN issue
Can you turn off NAT traversal? It is not needed if the routers are directly connected to the internet via a modem or anything which does not perform NAT.
Then can you try setting one end to dial in and the other to dial out. You will not ba able to set "always on" at the dial in end, so at that end use an Idle Timeout of 0.
Rather than use a Peer ID, can you specify the peer IP?
For your ESP what are you using? You seem to prefer 3DES (but AES is as good or better). Are you using Authentication? I would.
Once you get things going, your key lives are very short. The default ones aren't bad. Also you should aim to turn on PFS.
Then can you try setting one end to dial in and the other to dial out. You will not ba able to set "always on" at the dial in end, so at that end use an Idle Timeout of 0.
Rather than use a Peer ID, can you specify the peer IP?
For your ESP what are you using? You seem to prefer 3DES (but AES is as good or better). Are you using Authentication? I would.
Once you get things going, your key lives are very short. The default ones aren't bad. Also you should aim to turn on PFS.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- thirst4knowledge
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 27
- Thank you received: 0
21 Feb 2010 21:00 #60670
by thirst4knowledge
I will try turning off NAT T, next time I'm in the office.....
One thing I dont get is the NAT thing... to Me NAT is mapping an RFC 1918 non routable Private IP address to a Publicly routable address.
So this is what every router dose otherwise you would not be able to get out onto the internet. So please explain what you mean when you say that the router is not doing nat:
" via a modem or anything which does not perform NAT."
Replied by thirst4knowledge on topic Draytek to Draytek VPN issue
Can you turn off NAT traversal? It is not needed if the routers are directly connected to the internet via a modem or anything which does not perform NAT.NJH wrote:
Then can you try setting one end to dial in and the other to dial out. You will not ba able to set "always on" at the dial in end, so at that end use an Idle Timeout of 0.
Rather than use a Peer ID, can you specify the peer IP?
For your ESP what are you using? You seem to prefer 3DES (but AES is as good or better). Are you using Authentication? I would.
Once you get things going, your key lives are very short. The default ones aren't bad. Also you should aim to turn on PFS.
I will try turning off NAT T, next time I'm in the office.....
One thing I dont get is the NAT thing... to Me NAT is mapping an RFC 1918 non routable Private IP address to a Publicly routable address.
So this is what every router dose otherwise you would not be able to get out onto the internet. So please explain what you mean when you say that the router is not doing nat:
" via a modem or anything which does not perform NAT."
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
21 Feb 2010 21:59 #60672
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic Draytek to Draytek VPN issue
Routers do NAT, but NAT-T is something different. Have a look
here
.
Normally IPSec is not a NAT friendly protocol in so much as it will not work if there is a device performing NAT between the two IPSec end points. The most common scenario for this is probably a road-warrior connecting to the internet in a hotel or house via a router to an IPSec server directly connected to the internet. In this case the road warrior IPSec will not normally work. In order for it to pass through the NAT device, both end points need to support NAT traversal. If they do support NAT traversal, the IPSec packet is encapsulated in another UDP packet and transmitted (I believe) on port 4500.
In your case, where both endpoints appear to have public IP addresses, I have assumed they are directly connected to the internet (built-in ADSL, ADSL modem and PPPoE, Ethernet to a cable modem or something similar). In this case you do not need NAT-T. I have no idea if disabling it will make any difference but it won't hurt.
What I am trying to do is simplify the connection parameters to get it going. Once it is running, we can then start to add bells and whistles. This is why, for example, I am trying to make one end only initiate the connection.
BTW, where have you put the dial-in PSK's? Have you put them in the LAN-LAN profiles or in the VPN IKE / IPSec General Setup?
Normally IPSec is not a NAT friendly protocol in so much as it will not work if there is a device performing NAT between
In your case, where both endpoints appear to have public IP addresses, I have assumed they are directly connected to the internet (built-in ADSL, ADSL modem and PPPoE, Ethernet to a cable modem or something similar). In this case you do not need NAT-T. I have no idea if disabling it will make any difference but it won't hurt.
What I am trying to do is simplify the connection parameters to get it going. Once it is running, we can then start to add bells and whistles. This is why, for example, I am trying to make one end only initiate the connection.
BTW, where have you put the dial-in PSK's? Have you put them in the LAN-LAN profiles or in the VPN IKE / IPSec General Setup?
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
- thirst4knowledge
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 27
- Thank you received: 0
21 Feb 2010 23:00 #60673
by thirst4knowledge
Replied by thirst4knowledge on topic Draytek to Draytek VPN issue
Thanks for the advice.
what do u mean by psk?:
" where have you put the dial-in PSK's? "Have you put them in the LAN-LAN profiles or in the VPN IKE / IPSec General Setup?"
ohhh hang on youo mean on the 2820 dont u ?
yes I put psk in the LAN to LAN section, there are 2 places in the lan to lan section to put the psk in right ?
what do u mean by psk?:
" where have you put the dial-in PSK's? "Have you put them in the LAN-LAN profiles or in the VPN IKE / IPSec General Setup?"
ohhh hang on youo mean on the 2820 dont u ?
yes I put psk in the LAN to LAN section, there are 2 places in the lan to lan section to put the psk in right ?
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
22 Feb 2010 12:27 #60682
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic Draytek to Draytek VPN issue
I only have a 2600 and 2900 to play with, but I believe the options on a 2820 series are similar but the menus look different.
In the LAN-LAN profile there are 2 places to put the PSK (pre-shared key) - one for dial in and one for dial out. I don't know if they are allowed to be different. The dial in one here pretty much only works when the remote IP is fixed. If the remote IP is dynamic, it is normally put in the VPN IKE / IPSec General Setup.
In the LAN-LAN profile there are 2 places to put the PSK (pre-shared key) - one for dial in and one for dial out. I don't know if they are allowed to be different. The dial in one here pretty much only works when the remote IP is fixed. If the remote IP is dynamic, it is normally put in the VPN IKE / IPSec General Setup.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek