DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Astaro 320 v7 and a 2900 router: A VPN problem

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
09 Mar 2010 17:16 #61084 by rstanway
Astaro 320 v7 and a 2900 router: A VPN problem was created by rstanway
I'm trying to connect an Astaro and a 2900 via a LAN to LAN connection.

I've got them talking but the connection will only come up if the Draytek unit initiates the link. Can anyone help?

the Draytek settings are:
Dialout -
IPSEC tunnel
High (ESP) 3DES with Auth
IKE ph1 - 3DES_SHA1_G1
IKE ph2 - 3DES_SHA1

Dialin -
IPSec Tunnel
High (ESP) 3DES

The Astaro has a

IKE: Auth PSK / Enc 3DES_CBC_192 / Hash SHA / Lifetime 7800s / DPD
IPSec: Enc 3DES_0 / Hash HMAC_SHA1 / Lifetime 3600s

The connection is set to initiate which should allow both ends to pick up the link and I've tried with and without the routes and filters being enforced.

Any ideas?

Thanks
Rob

Please Log in or Create an account to join the conversation.

More
09 Mar 2010 17:37 #61086 by njh
Replied by njh on topic Astaro 320 v7 and a 2900 router: A VPN problem
On the older routers including the 2900 series it was not advised to set the VPN to Both (Dial-in and Dial-out) due to intermittent issues.

Anyway, are both ends on fixed or dyanmic IP's? What are your Dial-In and Dial-Out settings in the LAN-LAN profile?

Are you doing any logging on the 2900 - either Syslog or WallWatcher (from memory I think WallWatcher gave a friendlier output)?
2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
10 Mar 2010 08:36 #61092 by rstanway
Replied by rstanway on topic Astaro 320 v7 and a 2900 router: A VPN problem
Hi

I've not put any logging on but I will, and yes both ends have a static IP.

Thanks

Please Log in or Create an account to join the conversation.

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
10 Mar 2010 09:57 #61095 by rstanway
Replied by rstanway on topic Astaro 320 v7 and a 2900 router: A VPN problem
OK, I've been running Wallwatcher and I get the following in the log:

09:59:33.47 received a unicast arp request from 00:1a:8c:17:57:41
09:59:33.46 responding to main mode from xxx.xxx.xxx.xxx
09:59:33.45 ike <==, next payload=isakmp_next_sa, exchange type = 0x2, message id = 0x0

Does this look like the Astaro is trying to connect but the draytek doesn't respond?

thanks
Rob

Please Log in or Create an account to join the conversation.

More
10 Mar 2010 12:52 #61104 by njh
Replied by njh on topic Astaro 320 v7 and a 2900 router: A VPN problem
Yes, it looks like it does.

In order to simplify things, if you want the Astaro to dial the 2900, when testing, can you switch the 2900 to dial-in only?

Can you also post your LAN-LAN settings and say if you are on fixed or dynamic IP's?
2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
10 Mar 2010 13:36 #61106 by rstanway
Replied by rstanway on topic Astaro 320 v7 and a 2900 router: A VPN problem
Thanks for responding,

Yes Both ends have fixed IP's

What other draytek settings do you want for the LAN- LAN setup? the first post had all of them I think

the Draytek settings are:
Dialout -
IPSEC tunnel
High (ESP) 3DES with Auth
IKE ph1 - 3DES_SHA1_G1
IKE ph2 - 3DES_SHA1

Dialin -
IPSec Tunnel
High (ESP) 3DES

From looking at the logs on the Astaro it seems to be unhappy with the response the Draytek, which is odd as the Astaro will accept the connection if the draytek starts connection.

Does the draytek have settings for ike etc for both dialin and out or does it use the same for both?

Thanks
Rob

Please Log in or Create an account to join the conversation.

Moderators: Sami