DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Astaro 320 v7 and a 2900 router: A VPN problem

More
10 Mar 2010 18:45 #61109 by njh
In the settings I was trying to find out if you had specified a Remote VPN Gateway. If you have you have to put your PSK in the IKE Pre-Shared Key here. If not, you have to put it in VPN IKE / IPSec General Setup. If you used the VPN IKE / IPSec General Setup method, have you un-checked Medium as the security method (and preferably DES as well as it is crackable)

What makes you think the Astaro is unhappy with the response? Do you have a log from it?

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
15 Mar 2010 09:23 #61171 by rstanway
Replied by rstanway on topic Astaro 320 v7 and a 2900 router: A VPN problem
The log from the Astaro says:

No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Currently I've not specified a remote gateway and have it configured as you suggest. But I have tried it the other way too with no joy.

I'm starting to think a "dial-out" only method is the way to go here

Please Log in or Create an account to join the conversation.

More
15 Mar 2010 13:10 #61180 by njh
It looks like the phase 1 (main mode) negotiation is working and the phase 2 (quick mode) is failing. Are you sure the option on the Astaro matches what the Draytek is expecting? Can you try changing it to something else with a key length of 128 or 256 (but could be talking rubbish here). I'll have to check when I get home to see which 3DES algorithms are being used with my Drayteks to my Linux box.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
15 Mar 2010 13:25 #61181 by rstanway
Replied by rstanway on topic Astaro 320 v7 and a 2900 router: A VPN problem
you'll have to excuse my ignorance but does it use the same phase 1 and 2 settings when make and receiving requests? if so why can I make the connection one way and not the other?

As for the key length I am using 256

Thanks

Please Log in or Create an account to join the conversation.

More
15 Mar 2010 18:33 #61189 by njh
I may have been a bit wide of the mark here. When my Drayteks dial my Linux box, my main mode connection reads:
Code:
auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024

and my 2900 phase 2 connection reads:
Code:
ESP=>0x6fdec8e3 <0xf392d0cc xfrm=AES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none

whereas my 2600 phase 2 connection reads:
Code:
ESP=>0x7cf9f624 <0x79d7e407 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none


I don't know if this gives you any clues. Both routers start with 3DES but I allow the 2900 to use AES for phase 2.

Otherwise you'll have to play around. I'm not sure I can help much more. :(

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • rstanway
  • Topic Author
  • Offline
  • New Member
  • New Member
More
16 Mar 2010 08:33 #61195 by rstanway
Replied by rstanway on topic Astaro 320 v7 and a 2900 router: A VPN problem
Thanks for all your help, You've been a star.

At the moment I've got them working in dialout mode and I'm waiting on the guys from Astaro to come back to me. If I get an answer I'll post it.

Thanks again!

Rob

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami