DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Multiple outbound ipsec vpns - possible? Gotchas?
- routintooter
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 20
- Thank you received: 0
16 Oct 2012 14:42 #73851
by routintooter
Multiple outbound ipsec vpns - possible? Gotchas? was created by routintooter
Hi
Draytek 2920 f/w 3.6.1 (fixes the >9 vpn profiles issue...)
We are trying to set up 2 outbound ipsec vpns (site to site)
1 (already stable) to a Juniper device.
2 (proposed) to draytek 2830n
The issue seems to be that the 2nd vpn never connects - the first is fine.
If we set it up so there is 1 inbound and one outbound, all is fine.
I understand that there may be an issue if you are trying to support >1 ipsec vpn when behind a nat device, but we are not (unless our internet provider is telling porkies).
So: is there any fundamental issues with having >1 outbound ipsec vpn on drayteks?
Thank you.
Draytek 2920 f/w 3.6.1 (fixes the >9 vpn profiles issue...)
We are trying to set up 2 outbound ipsec vpns (site to site)
1 (already stable) to a Juniper device.
2 (proposed) to draytek 2830n
The issue seems to be that the 2nd vpn never connects - the first is fine.
If we set it up so there is 1 inbound and one outbound, all is fine.
I understand that there may be an issue if you are trying to support >1 ipsec vpn when behind a nat device, but we are not (unless our internet provider is telling porkies).
So: is there any fundamental issues with having >1 outbound ipsec vpn on drayteks?
Thank you.
Please Log in or Create an account to join the conversation.
- sicon
- Offline
- Contributor
Less
More
- Posts: 642
- Thank you received: 0
17 Oct 2012 09:45 #73857
by sicon
Replied by sicon on topic Re: Multiple outbound ipsec vpns - possible? Gotchas?
No, there should support many VPNs.
I have a site with a 2930VN running 2 x IPSec GRE Trunks (so 4 tunnels joined in to 2) plus 4 others normal IPSec Tunnels and then a random about of remote dial in VPNs.
What firmware is the 2920 on, have you checked the syslogs at each end of the 2nd tunnel etc?
Are the subnets different at each remote site?
I have a site with a 2930VN running 2 x IPSec GRE Trunks (so 4 tunnels joined in to 2) plus 4 others normal IPSec Tunnels and then a random about of remote dial in VPNs.
What firmware is the 2920 on, have you checked the syslogs at each end of the 2nd tunnel etc?
Are the subnets different at each remote site?
Please Log in or Create an account to join the conversation.
- routintooter
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 20
- Thank you received: 0
17 Oct 2012 13:14 #73867
by routintooter
Replied by routintooter on topic Re: Multiple outbound ipsec vpns - possible? Gotchas?
Thanks for the reply.
FW 3.6.1
Different subnets.
These two routers work fine if i reverse the set up (i.e. the source becomes the target)
Connection setup to use peerID, only use IPSEC security High ESP -des,3des,aes, aggressive mode
It basically mimcs the "working" outbound config (with different PeerID and different target router).
Snapshot of source/target router syslogs (from syslog explorer).
Source Router
2012-10-17 12:59:04 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:59:04 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:59:04 Dialing Node11 (KBBSTOCB1) :
2012-10-17 12:59:03 DOUBLE free for 81b6eb64: 7a99 from this.id.name
2012-10-17 12:58:51 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:58:51 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:58:51 Dialing Node11 (KBBSTOCB1) :
2012-10-17 12:58:44 DOUBLE free for 81b6f2f0: 7a99 from this.id.name
2012-10-17 12:58:32 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:58:32 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:58:32 Dialing Node11 (KBBSTOCB1) :
Target Router
2012-10-17 12:59:17 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:11 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:08 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:04 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:58 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:55 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:46 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:40 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:37 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:30 Responding to Aggressive Mode from Some.ip.address.here
FW 3.6.1
Different subnets.
These two routers work fine if i reverse the set up (i.e. the source becomes the target)
Connection setup to use peerID, only use IPSEC security High ESP -des,3des,aes, aggressive mode
It basically mimcs the "working" outbound config (with different PeerID and different target router).
Snapshot of source/target router syslogs (from syslog explorer).
Source Router
2012-10-17 12:59:04 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:59:04 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:59:04 Dialing Node11 (KBBSTOCB1) :
2012-10-17 12:59:03 DOUBLE free for 81b6eb64: 7a99 from this.id.name
2012-10-17 12:58:51 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:58:51 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:58:51 Dialing Node11 (KBBSTOCB1) :
2012-10-17 12:58:44 DOUBLE free for 81b6f2f0: 7a99 from this.id.name
2012-10-17 12:58:32 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:58:32 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:58:32 Dialing Node11 (KBBSTOCB1) :
Target Router
2012-10-17 12:59:17 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:11 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:08 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:04 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:58 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:55 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:46 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:40 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:37 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:30 Responding to Aggressive Mode from Some.ip.address.here
Please Log in or Create an account to join the conversation.
- sicon
- Offline
- Contributor
Less
More
- Posts: 642
- Thank you received: 0
19 Oct 2012 15:40 #73886
by sicon
Replied by sicon on topic Re: Multiple outbound ipsec vpns - possible? Gotchas?
just out of interest do they work with static IP End points (ipsek with PSK) instead of 509x peer IDs?
Please Log in or Create an account to join the conversation.
- routintooter
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 20
- Thank you received: 0
30 Oct 2012 17:12 #73965
by routintooter
Replied by routintooter on topic Re: Multiple outbound ipsec vpns - possible? Gotchas?
Thanks for the reply.
I have not tried it with static end points as my "test" set up uses dynamic IPs (consumer bb)
However, things get a bit odd...
I am now using 2 drayteks
2800 series f/w 2.8.2 - as dial in
Vigor2830n f/w 3.3.7.1_sb_211801 - as dial out
The 2830n already has an ipsec dial out vpn that is working ok to another target - using a peer (local) ID.
I added a second dial out ipsec VPN (the 2830n to a 2800 series) and gradually mimic the security options ,Medium > High, 3des with authentication etc. With the "basic" settings the VPN establishes, no problem.
What I appear to have found is that one or other of the drayteks seems a bis sniffy about the peer id - if I usesomething@now.com (e.g.) - I see the double free errors in the calling draytek and no vpn gets established.
I have used an ip address as the peer id - worked - changed the ip address (both ends) - vpn never re-establishes.
The most "reliable" form of peer id is this.some.com (literally - this peer id always seems to reconnect after a while).
If only i knew what i was doing.
C
I have not tried it with static end points as my "test" set up uses dynamic IPs (consumer bb)
However, things get a bit odd...
I am now using 2 drayteks
2800 series f/w 2.8.2 - as dial in
Vigor2830n f/w 3.3.7.1_sb_211801 - as dial out
The 2830n already has an ipsec dial out vpn that is working ok to another target - using a peer (local) ID.
I added a second dial out ipsec VPN (the 2830n to
What I appear to have found is that one or other of the drayteks seems a bis sniffy about the peer id - if I use
I have used an ip address as the peer id - worked - changed the ip address (both ends) - vpn never re-establishes.
The most "reliable" form of peer id is this.some.com
If only i knew what i was doing.
C
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek