DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Lan to Lan (2862lac to 2930vn)
- mwrmwr
- Topic Author
- Offline
- Junior Member
-
08 Jun 2020 18:00 #1
by mwrmwr
Lan to Lan (2862lac to 2930vn) was created by mwrmwr
I have been struggling with this whenever I can find time for months now.
I've been trying to debug using Syslog and that added several more wasted days to the process as Kiwi SyslogD I used many years ago just doesn't seem to respond properly even to its companion generator. However, I found VisualSyslog server (although also long out of development and .ru (!)) just worked pretty much - both on lan and more importantly across internet and into my Lan and NATed to VisualSyslog server. So, (give or take message queues, (possible minor clock differences) and lag, I can sort of see some of the interaction between the routers. I'm getting too old to want to packet trace!
Once I get establish Lan-Lan, I'm sure I can resolve subnet joining/mapping/separating issues
So to get to my questions...
Lan-to-Lan:
1a) can this just work based on a dial-out (on LTE) from the 2862lac establishing 2-way traffic with the public address on the 2930vn ?
...or 1b) does each end have to be set up in IPsec as Call Direction 'both' ?
2) Connection Management: is the Dial out just nice to have (with any enabled Lan-Lan profile auto starting) or is it the only point at which the connection is initiated ?
Initially I tried (1a) and then started throwing other stuff into the mix so meanwhile I'll simplify and focus on the obvious both-ways connection using the public ADSL ...before the contract runs out at the end of the week!
Any advice appreciated thanks.
Mark
Update: I have managed to TRANSIENTLY establish IPSec Tunnel from the LTE but this quickly disconnects.
Syslog from the receiving 2930 provides me with:
>Can't find route for L2L[1] c0a80100/ffffff00 and restart this tunnel...
>IKE_RELEASE VPN : Profile not found !!
...and then the LTE syslog look like it is tidying up before restarting the connection.
I've been trying to debug using Syslog and that added several more wasted days to the process as Kiwi SyslogD I used many years ago just doesn't seem to respond properly even to its companion generator. However, I found VisualSyslog server (although also long out of development and .ru (!)) just worked pretty much - both on lan and more importantly across internet and into my Lan and NATed to VisualSyslog server. So, (give or take message queues, (possible minor clock differences) and lag, I can sort of see some of the interaction between the routers. I'm getting too old to want to packet trace!
Once I get establish Lan-Lan, I'm sure I can resolve subnet joining/mapping/separating issues
So to get to my questions...
Lan-to-Lan:
1a) can this just work based on a dial-out (on LTE) from the 2862lac establishing 2-way traffic with the public address on the 2930vn ?
...or 1b) does each end have to be set up in IPsec as Call Direction 'both' ?
2) Connection Management: is the Dial out just nice to have (with any enabled Lan-Lan profile auto starting) or is it the only point at which the connection is initiated ?
Initially I tried (1a) and then started throwing other stuff into the mix so meanwhile I'll simplify and focus on the obvious both-ways connection using the public ADSL ...before the contract runs out at the end of the week!
Any advice appreciated thanks.
Mark
Syslog from the receiving 2930 provides me with:
>Can't find route for L2L[1] c0a80100/ffffff00 and restart this tunnel...
>IKE_RELEASE VPN : Profile not found !!
...and then the LTE syslog look like it is tidying up before restarting the connection.
Please Log in or Create an account to join the conversation.
- mwrmwr
- Topic Author
- Offline
- Junior Member
-
11 Jun 2020 05:06 #2
by mwrmwr
Replied by mwrmwr on topic Re: Lan to Lan (2862lac to 2930vn)
... :oops: 
Got nowhere except maybe (2) appears (from syslog messages) to be a case of Enabled = Active for Lan to Lan. ...so why the jump-start Dial option ?
Somehow the remote syslog messages stopped coming to my local daemon and I couldn't reboot or change remote 2862 config in any way to force this.
Remote SMS (grr messages could have more critical details!) and emails seemed to stay active even though not helping much.
Discovered (from RTFM which was no help) that there's a Draytek SyslogD so tried installing that on remote Teamviewer host - but even though its 'tools' could see the router I could not get the dropboxes for WAN etc. to populate. Thought it might be picking up first(unconnected RJ45) rather than active (wifi)network
so I thought I'd Bridge(bond) the connections so only one choice ... well that was fatal as now I've lost Teamviewer host and waiting for phase 3 of lockdown to drive back to Scotland. Meanwhile, LTE back without ADSL but that's no good for VPN which is why I'm doing this anyway.
Checked out and same problem with Draytek\Syslog_v4.5.8 where I am currently (on XP and W10).
Only hint (www in kb-vigor-syslog) is that port 514 on daemon host might be blocked ...so I checked on W10 with Windows firewalls off and UDP port 514 belonged OK to Syslog process; but still no joy --- just have to conclude yet another buggy piece of software.
...and I was going to try with PPTP to see how that fared.
I wish I could find some detailed lan to lan documentation showing how dial-out | dial-in | both work with IPSec and other protocols
...I can be on a vpn client on a phone having no public ip so there must be 2-way ip traffic there so with the caveat that only the LTE end can auto-reconnect,
this should be feasible surely ?
Got nowhere except maybe (2) appears (from syslog messages) to be a case of Enabled = Active for Lan to Lan. ...so why the jump-start Dial option ?
Somehow the remote syslog messages stopped coming to my local daemon and I couldn't reboot or change remote 2862 config in any way to force this.
Remote SMS (grr messages could have more critical details!) and emails seemed to stay active even though not helping much.
Discovered (from RTFM which was no help) that there's a Draytek SyslogD so tried installing that on remote Teamviewer host - but even though its 'tools' could see the router I could not get the dropboxes for WAN etc. to populate. Thought it might be picking up first(unconnected RJ45) rather than active (wifi)network
so I thought I'd Bridge(bond) the connections so only one choice ... well that was fatal as now I've lost Teamviewer host and waiting for phase 3 of lockdown to drive back to Scotland. Meanwhile, LTE back without ADSL but that's no good for VPN which is why I'm doing this anyway.
Checked out and same problem with Draytek\Syslog_v4.5.8 where I am currently (on XP and W10).
Only hint (www in kb-vigor-syslog) is that port 514 on daemon host might be blocked ...so I checked on W10 with Windows firewalls off and UDP port 514 belonged OK to Syslog process; but still no joy --- just have to conclude yet another buggy piece of software.
...and I was going to try with PPTP to see how that fared.
I wish I could find some detailed lan to lan documentation showing how dial-out | dial-in | both work with IPSec and other protocols
...I can be on a vpn client on a phone having no public ip so there must be 2-way ip traffic there so with the caveat that only the LTE end can auto-reconnect,
this should be feasible surely ?
Please Log in or Create an account to join the conversation.
- hornbyp
- User
-
13 Jun 2020 02:31 #3
by hornbyp
So - to clarify - the 2930 is at a site where there is decent Internet connection, but the 2862 isn't. You want to provide remote access to the 2862 from the internet, via a lan-to-lan VPN to the 2930 site, because the 2862 site is switching from ADSL to LTE, with no public IP address. Have I got that right:?: 
If so, the first thing that springs to mind, is that the (old) 2930 might not support this. I have a 2830 <-->2860 VPN and NAT Port Redirection does not work on the 2830, when the target is over the VPN. It does work the other way round. (Obviously, you could bounce off a session on a PC at the 2930 site.)
FWIW, I've been using Draytek's Syslog Daemon seemingly forever. Assuming port 514 is open, it just works, with zero config. I use it primarily because it understands Draytek messages and splits the messages onto different Tabs. The only things I ever change, are the column widths of the redundant data fields (System Time vs Router Time, Hostname etc) - to leave more room for useful stuff, without scrolling.
The VPN doesn't establish of its own volition - some traffic that needs to get to the other side will cause it to be summoned into existence. Unless set otherwise, it will drop some time later. The traffic can be a simple 'ping'. You might
Since the 2862 will have no public IP address, it
Replied by hornbyp on topic Re: Lan to Lan (2862lac to 2930vn)
MWRMWR wrote:
My motivation is to bypass very slow ADSL service on 2862lac. BUT as the LTE gets a NATed external ip, I can't inwards connect.
As the old 2930 has no Lan-Lan on SSL, I have to target IPsec to IPsec
So - to clarify - the 2930 is at a site where there is decent Internet connection, but the 2862 isn't. You want to provide remote access to the 2862 from the internet, via a lan-to-lan VPN to the 2930 site, because the 2862 site is switching from ADSL to LTE, with no public IP address. Have I got that right
If so, the first thing that springs to mind, is that the (old) 2930 might not support this. I have a 2830 <-->2860 VPN and NAT Port Redirection does not work on the 2830, when the target is over the VPN. It does work the other way round. (Obviously, you could bounce off a session on a PC at the 2930 site.)
I've been trying to debug using Syslog and that added several more wasted days to the process as Kiwi SyslogD I used many years ago just doesn't seem to respond properly even to its companion generator.
FWIW, I've been using Draytek's Syslog Daemon seemingly forever. Assuming port 514 is open, it just works, with zero config. I use it primarily because it understands Draytek messages and splits the messages onto different Tabs. The only things I ever change, are the column widths of the redundant data fields (System Time vs Router Time, Hostname etc) - to leave more room for useful stuff, without scrolling.
So to get to my questions...
Lan-to-Lan:
1a) can this just work based on a dial-out (on LTE) from the 2862lac establishing 2-way traffic with the public address on the 2930vn ?
...or 1b) does each end have to be set up in IPsec as Call Direction 'both' ?
2) Connection Management: is the Dial out just nice to have (with any enabled Lan-Lan profile auto starting) or is it the only point at which the connection is initiated ?
The VPN doesn't establish of its own volition - some traffic that needs to get to the other side will cause it to be summoned into existence. Unless set otherwise, it will drop some time later. The traffic can be a simple 'ping'. You might
Since the 2862 will have no public IP address, it
Please Log in or Create an account to join the conversation.
- mwrmwr
- Topic Author
- Offline
- Junior Member
-
13 Jun 2020 17:03 #4
by mwrmwr
Replied by mwrmwr on topic Re: Lan to Lan (2862lac to 2930vn)
Thankyou for your reply. At about the time you posted, I was concluding a more successful day 8) (OK a week of not leaving the house)
I am clearer now that what I am doing should be possible. I discovered a reassuring article kb-lantolan-ipsec and it helped clarify the use of Aggressive mode... as you have suggested and almost got it except that I can not currently edit the dial-out dialog
Wifi devices at the remote site still working and controllable across LTE and presumably they call out to some dodgy server in China using same principle as TeamViewer.
I'd edited out the ip address in the 2930 dial-in dialog as that's no longer in use at the 2862 end and added the Aggressive-ID ready for when I get to the 2862 next.
[
I had to debug my syslog and port forwarding via the 2930 and used an Asus AC2400 with tethering to my Android phone and I sort of understand interactions between open ports and Nat on the same ports now ! I had to use VisualSyslog utility to do this. Eventually, I got to the stage where I could see the syslog on my original intended W10 host and saw that the Dial-Out via LTE from 2930vn was still coming in - albeit with the 93.x.y.z threemm Nat address of course.
I then tried the Draytek Syslog tool and suddenly I could see syslog from the 2930vn as well as the local 2862lac...
** learning points on Draytek SyslogD:
the network section might well 'see' the (local) router but the drop-down leading to the WAN seems to use a different mechanism - maybe it's wherever it's getting syslog messages from on port 514 ?? I was all over the place:oops:
The telnet tool relies upon the default port 23 and if that's been mapped (like I do), you're stuffed.
Strangely, the SyslogD tool shows (in blue on bottom bar) ADSL info even though that WAN(1) is OFF
- and it's not a default as it's not there when viewing 2930. Is it checking syslog messages?
The output file comprises records with a leading key corresponding to the tab - so only one save needed, not one per tab.
tbd: try the telnet tools after reconfigure to port 23 - the dialog makes limited sense wrt building a polling-dialog but I see the intention so should be ok.
]
continued...
I am clearer now that what I am doing should be possible. I discovered a reassuring article kb-lantolan-ipsec and it helped clarify the use of Aggressive mode... as you have suggested and almost got it except that I can not currently edit the dial-out dialog
Since the 2862 will have no public IP address, it must initiate the VPN, i.e. the "Dial-out" section needs filling in its Lan-to-Lan VPN entry. Therefore, the 2930 only needs the "Dial-in" section filling in. The lack of fixed IP address means you'll have to use IPSec Aggressive Mode. Make sure you don't choose protocols and key length on the 2862 that the 2930 can't match.
I'd edited out the ip address in the 2930 dial-in dialog as that's no longer in use at the 2862 end and added the Aggressive-ID ready for when I get to the 2862 next.
[
FWIW, I've been using Draytek's Syslog Daemon seemingly forever.
I had to debug my syslog and port forwarding via the 2930 and used an Asus AC2400 with tethering to my Android phone and I sort of understand interactions between open ports and Nat on the same ports now ! I had to use VisualSyslog utility to do this. Eventually, I got to the stage where I could see the syslog on my original intended W10 host and saw that the Dial-Out via LTE from 2930vn was still coming in - albeit with the 93.x.y.z threemm Nat address of course.
I then tried the Draytek Syslog tool and suddenly I could see syslog from the 2930vn as well as the local 2862lac...
** learning points on Draytek SyslogD:
the network section might well 'see' the (local) router but the drop-down leading to the WAN seems to use a different mechanism - maybe it's wherever it's getting syslog messages from on port 514 ?? I was all over the place
The telnet tool relies upon the default port 23 and if that's been mapped (like I do), you're stuffed.
Strangely, the SyslogD tool shows (in blue on bottom bar) ADSL info even though that WAN(1) is OFF
- and it's not a default as it's not there when viewing 2930. Is it checking syslog messages?
The output file comprises records with a leading key corresponding to the tab - so only one save needed, not one per tab.
tbd: try the telnet tools after reconfigure to port 23 - the dialog makes limited sense wrt building a polling-dialog but I see the intention so should be ok.
]
continued...
Please Log in or Create an account to join the conversation.
- mwrmwr
- Topic Author
- Offline
- Junior Member
-
- mwrmwr
- Topic Author
- Offline
- Junior Member
-