Has anyone got a VPN to a Draytek working?
-
I'm really struggling.....
-
I have seen that a number of times. Draytek have a lot of devices and firmware versions of course.
More detail required. How are you configuring it? What's happening / not happening?
Check the logs for errors.
Steve
-
The Draytek's logs show:
2019-02-24 17:57:23 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] err: infomational exchange message is invalid 'cos incomplete ISAKMP SA
2019-02-24 17:57:18 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] err: infomational exchange message is invalid 'cos incomplete ISAKMP SA
2019-02-24 17:57:15 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] err: infomational exchange message is invalid 'cos incomplete ISAKMP SA
2019-02-24 17:57:14 IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:14 NAT-Traversal: Using RFC 3947, no NAT detected
2019-02-24 17:57:14 IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:14 IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:14 Accept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
2019-02-24 17:57:14 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:14 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:14 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] Initiating IKE Main Mode
2019-02-24 17:57:14 Initiating IKE Main Mode to 81.143.205.132
2019-02-24 17:57:14 Dialing Node6 (OHPfsense2) : 81.143.205.132
2019-02-24 17:57:13 [IPSEC][L2L][6:OHPfsense2][@81.143.205.132] IKE release: state linking
2019-02-24 17:57:13 [L2L][DOWN][IPsec][@6:OHPfsense2]
2019-02-24 17:57:13 DropVPN() VPN : L2L Dial-out, Profile index = 6, Name = OHPfsense2, ifno = 11
2019-02-24 17:57:13 Re-dial L2L[6], ifno: 11, status: 3 from WEB...
2019-02-24 17:57:12 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] err: infomational exchange message is invalid 'cos incomplete ISAKMP SA
2019-02-24 17:57:11 IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x5eda19cd
2019-02-24 17:57:11 IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x179c107
2019-02-24 17:57:06 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] err: infomational exchange message is invalid 'cos incomplete ISAKMP SA
2019-02-24 17:57:03 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] err: infomational exchange message is invalid 'cos incomplete ISAKMP SA
2019-02-24 17:57:03 IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:03 NAT-Traversal: Using RFC 3947, no NAT detected
2019-02-24 17:57:03 IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:03 IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:03 Accept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
2019-02-24 17:57:03 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:03 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
2019-02-24 17:57:03 [IPSEC/IKE][L2L][6:OHPfsense2][@81.143.205.132] Initiating IKE Main Mode
2019-02-24 17:57:03 Initiating IKE Main Mode to 81.143.205.132
2019-02-24 17:57:03 Dialing Node6 (OHPfsense2) : 81.143.205.132
2019-02-24 17:57:02 [IPSEC][L2L][6:OHPfsense2][@81.143.205.132] IKE link timeout: state linkingDoes this make any sense to anyone? I've got a site-to-site to a Watchguard working, but not this one. Thanks in anticipation!
-
pfSense logs:
Feb 24 18:02:41 charon 11[NET] <13832> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (92 bytes)
Feb 24 18:02:41 charon 11[ENC] <13832> invalid ID_V1 payload length, decryption failed?
Feb 24 18:02:41 charon 11[ENC] <13832> could not decrypt payloads
Feb 24 18:02:41 charon 11[IKE] <13832> message parsing failed
Feb 24 18:02:41 charon 11[ENC] <13832> generating INFORMATIONAL_V1 request 2097971478 [ HASH N(PLD_MAL) ]
Feb 24 18:02:41 charon 11[NET] <13832> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
Feb 24 18:02:41 charon 11[IKE] <13832> ID_PROT request with message ID 0 processing failed
Feb 24 18:02:42 charon 01[CFG] vici client 96 connected
Feb 24 18:02:42 charon 10[CFG] vici client 96 registered for: list-sa
Feb 24 18:02:42 charon 11[CFG] vici client 96 requests: list-sas
Feb 24 18:02:42 charon 10[CFG] vici client 96 disconnected
Feb 24 18:02:46 charon 13[JOB] <13831> deleting half open IKE_SA with 88.97.12.47 after timeout
Feb 24 18:02:46 charon 13[IKE] <13831> IKE_SA (unnamed)[13831] state change: CONNECTING => DESTROYING
Feb 24 18:02:48 charon 13[NET] <13833> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (204 bytes)
Feb 24 18:02:48 charon 13[ENC] <13833> parsed ID_PROT request 0 [ SA V V V V V V ]
Feb 24 18:02:48 charon 13[CFG] <13833> looking for an IKEv1 config for 81.143.205.132...88.97.12.47
Feb 24 18:02:48 charon 13[CFG] <13833> candidate: %any...%any, prio 24
Feb 24 18:02:48 charon 13[CFG] <13833> candidate: 81.143.205.132...88.97.12.47, prio 3100
Feb 24 18:02:48 charon 13[CFG] <13833> found matching ike config: 81.143.205.132...88.97.12.47 with prio 3100
Feb 24 18:02:48 charon 13[IKE] <13833> received DPD vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> received NAT-T (RFC 3947) vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> 88.97.12.47 is initiating a Main Mode IKE_SA
Feb 24 18:02:48 charon 13[IKE] <13833> IKE_SA (unnamed)[13833] state change: CREATED => CONNECTING
Feb 24 18:02:48 charon 13[CFG] <13833> selecting proposal:
Feb 24 18:02:48 charon 13[CFG] <13833> proposal matches
Feb 24 18:02:48 charon 13[CFG] <13833> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Feb 24 18:02:48 charon 13[CFG] <13833> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Feb 24 18:02:48 charon 13[CFG] <13833> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Feb 24 18:02:48 charon 13[IKE] <13833> sending XAuth vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> sending DPD vendor ID
Feb 24 18:02:48 charon 13[IKE] <13833> sending NAT-T (RFC 3947) vendor ID
Feb 24 18:02:48 charon 13[ENC] <13833> generating ID_PROT response 0 [ SA V V V ]
Feb 24 18:02:48 charon 13[NET] <13833> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (136 bytes)
Feb 24 18:02:48 charon 13[NET] <13833> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (356 bytes)
Feb 24 18:02:48 charon 13[ENC] <13833> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 24 18:02:48 charon 13[CFG] <13833> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Feb 24 18:02:48 charon 13[CFG] <13833> candidate "con3000", match: 1/1/3100 (me/other/ike)
Feb 24 18:02:48 charon 13[ENC] <13833> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 24 18:02:48 charon 13[NET] <13833> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (372 bytes)
Feb 24 18:02:48 charon 13[NET] <13833> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (92 bytes)
Feb 24 18:02:48 charon 13[ENC] <13833> invalid ID_V1 payload length, decryption failed?
Feb 24 18:02:48 charon 13[ENC] <13833> could not decrypt payloads
Feb 24 18:02:48 charon 13[IKE] <13833> message parsing failed
Feb 24 18:02:48 charon 13[ENC] <13833> generating INFORMATIONAL_V1 request 2433405080 [ HASH N(PLD_MAL) ]
Feb 24 18:02:48 charon 13[NET] <13833> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
Feb 24 18:02:48 charon 13[IKE] <13833> ID_PROT request with message ID 0 processing failed -
@orangehand said in Has anyone got a VPN to a Draytek working?:
Feb 24 18:02:48 charon 13[ENC] <13833> invalid ID_V1 payload length, decryption failed?
Feb 24 18:02:48 charon 13[ENC] <13833> could not decrypt payloads
Feb 24 18:02:48 charon 13[IKE] <13833> message parsing failedThat looks like a shared key mismatch is most likely.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html#phase-1-pre-shared-key-mismatchSteve
-
I've been working with Draytek support; Latest log/error at Draytek end is:
2019-02-27 11:39:53 ## IKEv2 DBG : IKESA inR2 : Can't decrypt message
2019-02-27 11:39:53 ## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1848
2019-02-27 11:39:53 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_AUTHENTICATION_FAILED[24]
2019-02-27 11:39:53 ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 81.143.205.132, Peer is IKEv2 Responder
2019-02-27 11:39:53 ## IKEv2 DBG : Process Packet : #125 IKE SA Established, REPLACE after 19800 secondsAnyone know how to fix this please?
-
Apologies Stephenw10 - I hadn't clocked that you were in-house pfsense! Am very grateful for your assistance!
-
(The only change today is that we changed the connection to IKEv2 and DH gp2)
-
(and Draytek is set to Dial Out, always on)
-
I assume the Draytek logs are in reverse order again?
Did you change to IKEv2 and DH group2 at both ends? pfSense will use IKEv2 if it is initiating and it's set to auto.
The pfSense failure log will probably be more useful here, obviously we are far more familiar with it.
However I would say it's most likely an identifier mismatch looking at those logs. IKEv2 has a much larger choice of identifier types. It looks like the Draytek has accepted whatever pfSense is sending as it's showing SA established but pfSene then sends an authentication failure message.
Since you're using public IPs at both ends if the identifiers are still set to 'my IP' and 'peer IP' that should work.
Steve
-
Yes both ends were changed, whilst I had the Draytek guy remoted into my Mac
(The Draytek is set to dial out, not both, if that matters)Latest pfsense log entries are:
Feb 27 16:23:01 charon 11[CFG] <30980> found matching ike config: 81.143.205.132...88.97.12.47 with prio 3100
Feb 27 16:23:01 charon 11[IKE] <30980> 88.97.12.47 is initiating an IKE_SA
Feb 27 16:23:01 charon 11[IKE] <30980> IKE_SA (unnamed)[30980] state change: CREATED => CONNECTING
Feb 27 16:23:01 charon 11[CFG] <30980> selecting proposal:
Feb 27 16:23:01 charon 11[CFG] <30980> proposal matches
Feb 27 16:23:01 charon 11[CFG] <30980> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 16:23:01 charon 11[CFG] <30980> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 16:23:01 charon 11[CFG] <30980> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 16:23:01 charon 11[ENC] <30980> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 27 16:23:01 charon 11[NET] <30980> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (312 bytes)
Feb 27 16:23:01 charon 11[NET] <30980> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (204 bytes)
Feb 27 16:23:01 charon 11[ENC] <30980> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
Feb 27 16:23:01 charon 11[CFG] <30980> looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
Feb 27 16:23:01 charon 11[CFG] <30980> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Feb 27 16:23:01 charon 11[CFG] <30980> candidate "con3000", match: 1/20/3100 (me/other/ike)
Feb 27 16:23:01 charon 11[CFG] <30980> ignore candidate 'bypasslan' without matching IKE proposal
Feb 27 16:23:01 charon 11[CFG] <con3000|30980> selected peer config 'con3000'
Feb 27 16:23:01 charon 11[IKE] <con3000|30980> tried 1 shared key for '%any' - '88.97.12.47', but MAC mismatched
Feb 27 16:23:01 charon 11[ENC] <con3000|30980> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Feb 27 16:23:01 charon 11[NET] <con3000|30980> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
Feb 27 16:23:01 charon 11[IKE] <con3000|30980> IKE_SA con3000[30980] state change: CONNECTING => DESTROYING -
Here is the draytek end - there appears to be no peerID setting that end if that might be relevant?
-
The top and bottom of the previous screenshot:
-
Ok so not an identifier mismatch, thay are sending their IP as identifier shown in [ ]
looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
It still looks like the preshared key is wrong:
tried 1 shared key for '%any' - '88.97.12.47', but MAC mismatched
I would test it by using a super simple key that cannot me typo'd or translated like
12345
. Move to a better key once it connects with that.We can't see the actual encryption settings there, I assume they are under that advanced button. If the HMAC didn't match there I would expect it to fail with a proposal error. It was matching previously for IKEv1 but worth checking.
Steve
-
Are you using an especially long PreSharedKey? The maximum ley length is related to auth hash used and you are using SHA1 which limits it to 64B (I think).
Steve
-
Changed PSK to 12345, saved and applied at both ends
Draytek syslog (latest at top):
2019-02-27 17:41:02 ## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #3373
2019-02-27 17:41:02 [IPSEC][L2L][6:PFsense][@81.143.205.132] IKE link timeout: state linking
2019-02-27 17:40:54 IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x12ad535f
2019-02-27 17:40:54 IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x77b5b4a4
2019-02-27 17:40:54 IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x3977f965
2019-02-27 17:40:54 IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x371c750d
2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR2 : Can't decrypt message
2019-02-27 17:40:49 ## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1848
2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_AUTHENTICATION_FAILED[24]
2019-02-27 17:40:49 ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 81.143.205.132, Peer is IKEv2 Responder
2019-02-27 17:40:49 ## IKEv2 DBG : Process Packet : #3373 IKE SA Established, REPLACE after 21150 seconds
2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Create Child SA #3374, IKE SA is #3373
2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify [16404], ignore it
2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify [16404]
2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
2019-02-27 17:40:49 ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Reply from 81.143.205.132, Peer is IKEv2 Responder
2019-02-27 17:40:49 ## IKEv2 DBG : IKESA outI1 : Create IKE SA #3373 Profile Index 0
2019-02-27 17:40:49 Dialing Node6 (PFsense) : 81.143.205.132
2019-02-27 17:40:46 ## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #3371
2019-02-27 17:40:46 [IPSEC][L2L][6:PFsense][@81.143.205.132] IKE link timeout: state linking
2019-02-27 17:40:33 ## IKEv2 DBG : IKESA inR2 : Can't decrypt message
2019-02-27 17:40:33 ## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1848
2019-02-27 17:40:33 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_AUTHENTICATION_FAILED[24]
2019-02-27 17:40:33 ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 81.143.205.132, Peer is IKEv2 Responder
2019-02-27 17:40:33 ## IKEv2 DBG : Process Packet : #3371 IKE SA Established, REPLACE after 21572 seconds
2019-02-27 17:40:33 ## IKEv2 DBG : IKESA inR1_outI2 : Create Child SA #3372, IKE SA is #3371pfSense log:
Feb 27 17:42:27 charon 15[CFG] <31333> looking for an IKEv2 config for 81.143.205.132...88.97.12.47
Feb 27 17:42:27 charon 15[CFG] <31333> candidate: %any...%any, prio 24
Feb 27 17:42:27 charon 15[CFG] <31333> candidate: 81.143.205.132...88.97.12.47, prio 3100
Feb 27 17:42:27 charon 15[CFG] <31333> found matching ike config: 81.143.205.132...88.97.12.47 with prio 3100
Feb 27 17:42:27 charon 15[IKE] <31333> 88.97.12.47 is initiating an IKE_SA
Feb 27 17:42:27 charon 15[IKE] <31333> IKE_SA (unnamed)[31333] state change: CREATED => CONNECTING
Feb 27 17:42:27 charon 15[CFG] <31333> selecting proposal:
Feb 27 17:42:27 charon 15[CFG] <31333> proposal matches
Feb 27 17:42:27 charon 15[CFG] <31333> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 17:42:27 charon 15[CFG] <31333> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 17:42:27 charon 15[CFG] <31333> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 17:42:27 charon 15[ENC] <31333> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 27 17:42:27 charon 15[NET] <31333> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (312 bytes)
Feb 27 17:42:27 charon 15[NET] <31333> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (204 bytes)
Feb 27 17:42:27 charon 15[ENC] <31333> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
Feb 27 17:42:27 charon 15[CFG] <31333> looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
Feb 27 17:42:27 charon 15[CFG] <31333> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Feb 27 17:42:27 charon 15[CFG] <31333> candidate "con3000", match: 1/20/3100 (me/other/ike)
Feb 27 17:42:27 charon 15[CFG] <31333> ignore candidate 'bypasslan' without matching IKE proposal
Feb 27 17:42:27 charon 15[CFG] <con3000|31333> selected peer config 'con3000'
Feb 27 17:42:27 charon 15[IKE] <con3000|31333> tried 1 shared key for '%any' - '88.97.12.47', but MAC mismatched
Feb 27 17:42:27 charon 15[ENC] <con3000|31333> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Feb 27 17:42:27 charon 15[NET] <con3000|31333> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
Feb 27 17:42:27 charon 15[IKE] <con3000|31333> IKE_SA con3000[31333] state change: CONNECTING => DESTROYING
Feb 27 17:42:43 charon 15[NET] <31334> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (288 bytes)
Feb 27 17:42:43 charon 15[ENC] <31334> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 27 17:42:43 charon 15[CFG] <31334> looking for an IKEv2 config for 81.143.205.132...88.97.12.47
Feb 27 17:42:43 charon 15[CFG] <31334> candidate: %any...%any, prio 24
Feb 27 17:42:43 charon 15[CFG] <31334> candidate: 81.143.205.132...88.97.12.47, prio 3100
Feb 27 17:42:43 charon 15[CFG] <31334> found matching ike config: 81.143.205.132...88.97.12.47 with prio 3100
Feb 27 17:42:43 charon 15[IKE] <31334> 88.97.12.47 is initiating an IKE_SA
Feb 27 17:42:43 charon 15[IKE] <31334> IKE_SA (unnamed)[31334] state change: CREATED => CONNECTING
Feb 27 17:42:43 charon 15[CFG] <31334> selecting proposal:
Feb 27 17:42:43 charon 15[CFG] <31334> proposal matches
Feb 27 17:42:43 charon 15[CFG] <31334> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 17:42:43 charon 15[CFG] <31334> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 17:42:43 charon 15[CFG] <31334> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 27 17:42:43 charon 15[ENC] <31334> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 27 17:42:43 charon 15[NET] <31334> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (312 bytes)
Feb 27 17:42:43 charon 15[NET] <31334> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (204 bytes)
Feb 27 17:42:43 charon 15[ENC] <31334> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
Feb 27 17:42:43 charon 15[CFG] <31334> looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
Feb 27 17:42:43 charon 15[CFG] <31334> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Feb 27 17:42:43 charon 15[CFG] <31334> candidate "con3000", match: 1/20/3100 (me/other/ike)
Feb 27 17:42:43 charon 15[CFG] <31334> ignore candidate 'bypasslan' without matching IKE proposal
Feb 27 17:42:43 charon 15[CFG] <con3000|31334> selected peer config 'con3000'
Feb 27 17:42:43 charon 15[IKE] <con3000|31334> tried 1 shared key for '%any' - '88.97.12.47', but MAC mismatched
Feb 27 17:42:43 charon 15[ENC] <con3000|31334> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Feb 27 17:42:43 charon 15[NET] <con3000|31334> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
Feb 27 17:42:43 charon 15[IKE] <con3000|31334> IKE_SA con3000[31334] state change: CONNECTING => DESTROYING -
Sorry - missed your key length Q; no - previous psk was testtest - the last logs were 12345
-
Hmm, curious.
Is this the only tunnel at each end?
Does either end have more than one WAN?
Can we see the config at the pfSense end?
Steve
-
@orangehand said in Has anyone got a VPN to a Draytek working?:
looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
Ok in fact this could be an identifier issue. It looks like the Draytek is sending 'any' as the identifier for pfSense. What is it actually set to in pfSense?
I don't see a place to specify a peer ID in the Draytek settings other than the 'dial-in' section but you might try adding it there.
Steve
-
-
In dial in settings you mean the username field? What would I put there please?
-
Ok the Draytek is sending it's own IP as an identifier but 'any' for the pfSense end. So in pfSense it should be the opposite; 'any' for My Identifier and 'peer IP' for Peer Identifier.
But better would be to set an Identifier in the Draytek. The only place in the screenshot I see to do that is the 'Peer ID' filed in the dial-in settings. Try that. See if it changes what is shown in the pfSense logs. You want it to show:
looking for peer configs matching 81.143.205.132[81.143.205.132]...88.97.12.47[88.97.12.47]
Then set My IP and Peer IP as the identifiers in pfSense to match.
Steve
-
That worked, many many thanks Steve
-
Ah, great. Were you able to get the Draytek to send an IP as identifier or did you have to stick with 'any' as the local identifier in pfSense?
Steve
-
pfSense (my) end I used My identifier: My IP Address and Peer Identifier: Peer IP address
Would you like full screenshots for reference? -
Yes please. Might be helpful for someone else in the future.
Steve
-
-
Hi all
I'm trying to setup a lan-to-lan VPN between Draytek and pfsense using IPSec, but I can't get it to work
I've copied the configuration suggested by orangehand on both ends, with no luck.
The only differences with orangehand's setup is that on the Draytek side I've set the call direction to dial-out, as I need the channel constantly on, and on the pfsense side, in the 'remote gateway' field I've set the external IP of the Draytek, not the FQDN, as I don't have a DDNS set up.Is there a complete guide on how to set this up, as I can't find a great deal on it online?
Thanks
Log details:
Dec 31 11:52:02 charon 10[IKE] <bypasslan|255> IKE_SA bypasslan[255] state change: CONNECTING => DESTROYING
Dec 31 11:52:02 charon 10[NET] <bypasslan|255> sending packet: from (pfsense_wan) [4500] to 1(draytek_wan)[7440] (76 bytes)
Dec 31 11:52:02 charon 10[ENC] <bypasslan|255> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> no alternative config found
Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> selected peer config 'bypasslan' unacceptable: non-matching authentication done
Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> constraint requires public key authentication, but pre-shared key was used
Dec 31 11:52:02 charon 10[IKE] <bypasslan|255> authentication of '(draytek_lan)' with pre-shared key successful
Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> selected peer config 'bypasslan' -
If you see it selecting bypasslan like that it's because no other config matches. You have a mismatch there. Do you have a more complete log?
Steve
-
Dec 31 12:23:34 charon 10[IKE] <bypasslan|373> IKE_SA bypasslan[373] state change: CONNECTING => DESTROYING
Dec 31 12:23:34 charon 10[NET] <bypasslan|373> sending packet: from (pfsense-wan)[4500] to (draytek-wan)[7440] (76 bytes)
Dec 31 12:23:34 charon 10[ENC] <bypasslan|373> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> no alternative config found
Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> selected peer config 'bypasslan' unacceptable: non-matching authentication done
Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> constraint requires public key authentication, but pre-shared key was used
Dec 31 12:23:34 charon 10[IKE] <bypasslan|373> authentication of '(draytek-lan)' with pre-shared key successful
Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> selected peer config 'bypasslan'
Dec 31 12:23:34 charon 10[CFG] <373> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Dec 31 12:23:34 charon 10[CFG] <373> looking for peer configs matching (pfsense-wan)[%any]...(draytek-wan)[192.168.100.12]
Dec 31 12:23:34 charon 10[ENC] <373> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
Dec 31 12:23:34 charon 10[NET] <373> received packet: from (draytek-wan)[7440] to (pfsense-wan)[4500] (204 bytes)
Dec 31 12:23:34 charon 10[NET] <373> sending packet: from (pfsense-wan)[500] to (draytek-wan)[7244] (440 bytes)
Dec 31 12:23:34 charon 10[ENC] <373> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 31 12:23:34 charon 10[IKE] <373> remote host is behind NAT
Dec 31 12:23:34 charon 10[CFG] <373> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 31 12:23:34 charon 10[CFG] <373> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 31 12:23:34 charon 10[CFG] <373> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Dec 31 12:23:34 charon 10[CFG] <373> proposal matches
Dec 31 12:23:34 charon 10[CFG] <373> selecting proposal:
Dec 31 12:23:34 charon 10[IKE] <373> IKE_SA (unnamed)[373] state change: CREATED => CONNECTING
Dec 31 12:23:34 charon 10[IKE] <373> (draytek-wan) is initiating an IKE_SA
Dec 31 12:23:34 charon 10[CFG] <373> found matching ike config: (pfsense-wan)...(draytek-wan) with prio 3100
Dec 31 12:23:34 charon 10[CFG] <373> candidate: (pfsense-wan)...(draytek-wan), prio 3100
Dec 31 12:23:34 charon 10[CFG] <373> candidate: %any...%any, prio 24
Dec 31 12:23:34 charon 10[CFG] <373> looking for an IKEv2 config for (pfsense-wan)...(draytek-wan)
Dec 31 12:23:34 charon 10[ENC] <373> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Dec 31 12:23:34 charon 10[NET] <373> received packet: from (draytek-wan)[7244] to (pfsense-wan)[500] (416 bytes)
Dec 31 12:23:32 ipsec_starter 36044 'con1000' routed
Dec 31 12:23:32 charon 06[CHD] CHILD_SA con1000{2651} state change: CREATED => ROUTED
Dec 31 12:23:32 charon 06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ
Dec 31 12:23:32 charon 06[CFG] received stroke: route 'con1000'
Dec 31 12:23:32 charon 07[CFG] added configuration 'con1000'
Dec 31 12:23:32 charon 07[CFG] keyexchange=ikev2
Dec 31 12:23:32 charon 07[CFG] mediation=no
Dec 31 12:23:32 charon 07[CFG] sha256_96=no
Dec 31 12:23:32 charon 07[CFG] dpdaction=3
Dec 31 12:23:32 charon 07[CFG] dpdtimeout=60
Dec 31 12:23:32 charon 07[CFG] dpddelay=10
Dec 31 12:23:32 charon 07[CFG] esp=aes256-sha1-modp1024,aes256-sha256-modp1024,aes128gcm128-sha1-modp1024,aes128gcm128-sha256-modp1024,aes256gcm128-sha1-modp1024,aes256gcm128-sha256-modp1024,aes256gcm96-sha1-modp1024,aes256gcm96-sha256-modp1024,aes256gcm64-sha1-modp1024,aes256gcm64-sha256-modp1024!
Dec 31 12:23:32 charon 07[CFG] ike=aes256-sha1-modp2048!
Dec 31 12:23:32 charon 07[CFG] rightid=(draytek-wan)
Dec 31 12:23:32 charon 07[CFG] rightauth=psk
Dec 31 12:23:32 charon 07[CFG] rightsubnet=(draytek-lan)/24
Dec 31 12:23:32 charon 07[CFG] right=(draytek-wan)
Dec 31 12:23:32 charon 07[CFG] leftid=(pfsense-wan)
Dec 31 12:23:32 charon 07[CFG] leftauth=psk
Dec 31 12:23:32 charon 07[CFG] leftsubnet=(pfsense-lan)/24
Dec 31 12:23:32 charon 07[CFG] left=(pfsense-wan)
Dec 31 12:23:32 charon 07[CFG] conn con1000
Dec 31 12:23:32 charon 07[CFG] received stroke: add connection 'con1000'
Dec 31 12:23:32 ipsec_starter 36044 'bypasslan' shunt PASS policy installed
Dec 31 12:23:32 charon 06[CFG] received stroke: route 'bypasslan'
Dec 31 12:23:32 charon 08[CFG] added configuration 'bypasslan'
Dec 31 12:23:32 charon 08[CFG] mediation=no
Dec 31 12:23:32 charon 08[CFG] sha256_96=no
Dec 31 12:23:32 charon 08[CFG] dpdtimeout=150
Dec 31 12:23:32 charon 08[CFG] dpddelay=30
Dec 31 12:23:32 charon 08[CFG] rightsubnet=(pfsense-lan)/24
Dec 31 12:23:32 charon 08[CFG] right=%any
Dec 31 12:23:32 charon 08[CFG] leftsubnet=(pfsense-lan)/24
Dec 31 12:23:32 charon 08[CFG] left=%any
Dec 31 12:23:32 charon 08[CFG] conn bypasslan
Dec 31 12:23:32 charon 08[CFG] received stroke: add connection 'bypasslan'
Dec 31 12:23:32 charon 06[CFG] deleted connection 'con1000'
Dec 31 12:23:32 charon 06[CFG] received stroke: delete connection 'con1000'
Dec 31 12:23:32 ipsec_starter 36044 trap policy 'con1000' unrouted
Dec 31 12:23:32 charon 08[CHD] CHILD_SA con1000{2650} state change: ROUTED => DESTROYING
Dec 31 12:23:32 charon 08[CFG] received stroke: unroute 'con1000'
Dec 31 12:23:32 charon 06[CFG] deleted connection 'bypasslan'
Dec 31 12:23:32 charon 06[CFG] received stroke: delete connection 'bypasslan'
Dec 31 12:23:32 ipsec_starter 36044 shunt policy 'bypasslan' uninstalled
Dec 31 12:23:32 charon 05[CFG] received stroke: unroute 'bypasslan'
Dec 31 12:23:32 charon 07[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Dec 31 12:23:32 charon 07[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Dec 31 12:23:32 charon 07[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Dec 31 12:23:32 charon 07[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Dec 31 12:23:32 charon 07[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Dec 31 12:23:32 charon 07[CFG] loaded IKE secret for %any (draytek-wan)
Dec 31 12:23:32 charon 07[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Dec 31 12:23:32 charon 07[CFG] rereading secrets
Dec 31 12:23:20 ipsec_starter 36044 'con1000' routed
Dec 31 12:23:20 charon 08[CHD] CHILD_SA con1000{2650} state change: CREATED => ROUTED
Dec 31 12:23:20 charon 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ
Dec 31 12:23:20 charon 08[CFG] received stroke: route 'con1000'
Dec 31 12:23:20 charon 07[CFG] added configuration 'con1000'
Dec 31 12:23:20 charon 07[CFG] keyexchange=ikev2
Dec 31 12:23:20 charon 07[CFG] mediation=no
Dec 31 12:23:20 charon 07[CFG] sha256_96=no
Dec 31 12:23:20 charon 07[CFG] dpdaction=3
Dec 31 12:23:20 charon 07[CFG] dpdtimeout=60
Dec 31 12:23:20 charon 07[CFG] dpddelay=10
Dec 31 12:23:20 charon 07[CFG] esp=aes256-sha1-modp1024,aes256-sha256-modp1024,aes128gcm128-sha1-modp1024,aes128gcm128-sha256-modp1024,aes256gcm128-sha1-modp1024,aes256gcm128-sha256-modp1024,aes256gcm96-sha1-modp1024,aes256gcm96-sha256-modp1024,aes256gcm64-sha1-modp1024,aes256gcm64-sha256-modp1024!
Dec 31 12:23:20 charon 07[CFG] ike=aes256-sha1-modp2048!
Dec 31 12:23:20 charon 07[CFG] rightid=(draytek-wan)
Dec 31 12:23:20 charon 07[CFG] rightauth=psk
Dec 31 12:23:20 charon 07[CFG] rightsubnet=(draytek-lan)/24
Dec 31 12:23:20 charon 07[CFG] right=(draytek-wan)
Dec 31 12:23:20 charon 07[CFG] leftid=(pfsense-wan)
Dec 31 12:23:20 charon 07[CFG] leftauth=psk
Dec 31 12:23:20 charon 07[CFG] leftsubnet=(pfsense-lan)/24
Dec 31 12:23:20 charon 07[CFG] left=(pfsense-wan)
Dec 31 12:23:20 charon 07[CFG] conn con1000
Dec 31 12:23:20 charon 07[CFG] received stroke: add connection 'con1000'
Dec 31 12:23:20 ipsec_starter 36044 'bypasslan' shunt PASS policy installed
Dec 31 12:23:20 charon 06[CFG] received stroke: route 'bypasslan'
Dec 31 12:23:20 charon 08[CFG] added configuration 'bypasslan'
Dec 31 12:23:20 charon 08[CFG] mediation=no
Dec 31 12:23:20 charon 08[CFG] sha256_96=no
Dec 31 12:23:20 charon 08[CFG] dpdtimeout=150
Dec 31 12:23:20 charon 08[CFG] dpddelay=30
Dec 31 12:23:20 charon 08[CFG] rightsubnet=(pfsense-lan)/24
Dec 31 12:23:20 charon 08[CFG] right=%any
Dec 31 12:23:20 charon 08[CFG] leftsubnet=(pfsense-lan)/24
Dec 31 12:23:20 charon 08[CFG] left=%any
Dec 31 12:23:20 charon 08[CFG] conn bypasslan
Dec 31 12:23:20 charon 08[CFG] received stroke: add connection 'bypasslan'
Dec 31 12:23:20 charon 06[CFG] deleted connection 'con1000'
Dec 31 12:23:20 charon 06[CFG] received stroke: delete connection 'con1000'
Dec 31 12:23:20 ipsec_starter 36044 trap policy 'con1000' unrouted
Dec 31 12:23:20 charon 08[CHD] CHILD_SA con1000{2649} state change: ROUTED => DESTROYING
Dec 31 12:23:20 charon 08[CFG] received stroke: unroute 'con1000'
Dec 31 12:23:20 charon 05[CFG] deleted connection 'bypasslan'
Dec 31 12:23:20 charon 05[CFG] received stroke: delete connection 'bypasslan'
Dec 31 12:23:20 ipsec_starter 36044 shunt policy 'bypasslan' uninstalled
Dec 31 12:23:20 charon 06[CFG] received stroke: unroute 'bypasslan'
Dec 31 12:23:20 charon 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Dec 31 12:23:20 charon 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Dec 31 12:23:20 charon 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Dec 31 12:23:20 charon 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Dec 31 12:23:20 charon 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Dec 31 12:23:20 charon 08[CFG] loaded IKE secret for %any 1(draytek-wan)
Dec 31 12:23:20 charon 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Dec 31 12:23:20 charon 08[CFG] rereading secrets -
@tech_support_ said in Has anyone got a VPN to a Draytek working?:
Dec 31 12:23:34 charon 10[CFG] <373> looking for peer configs matching (pfsense-wan)[%any]...(draytek-wan)[192.168.100.12]
The Draytek is sending it's internal IP as the indentifier. So if pfSense is set to use 'Peer IP Address' that will be the public IP and will not match. Either set the Draytek to send it's public IP as it's identifer or set pfSense to use 'IP Address (192.168.100.12)' as the peer identifier.
Steve
-
@stephenw10 said in Has anyone got a VPN to a Draytek working?:
192.168.100.12
That was it, you're a legend!
A happy new year to you Steve
-
And to you.
-
@stephenw10 ,
I have a similar issue when building a tunnel from ASA to Draytek 2862 with firmware version 3.9.4.1.Logs showing IKE link timeout: state linking.
Tunnel is IKEv1.
VPN configs are similar.
PSK confirmed multiple times. -
So not pfSense at either end?
Kinda limited in what we can do then. Have you considered using pfSense?
Or calling Cisco/Draytek support!But in general you need to check the logs on the end that is refusing the connection to why it is. Then correct that. There will be a config mismatch, IPSec is fairly standard across platforms especially IKEv1.
Steve
-
You should not really have an issue with a Draytek to ASA VPN, we have many of those running on multiple ASA firmwares and 2820s, 2860s (v3.9.4.1), 2862s, 29xx etc.
I can't specifically tell you how, as I am not the Cisco guy :-) If it helps most of ours run on IKEv1 with 3DES with auth, no PFS. We also run all the tunnels outbound on the Draytek to the Cisco., with P1 28800 and P2 3600, which is the Draytek default.
The solution is reasonably well documented on the Draytek knowledge bases and forums, and your Draytek reseller should have access to Draytek tech support, who are pretty helpful most of the time if you are clear on what the problem is.
Not wishing to undermine stephenw10 on the pfSense sell ;-), we have had no luck really in getting Draytek to play with pfSense running in Azure. Despite our best efforts we cannot get a stable solution. We can get pfSense to work with ASA all day long though, so it depends which end you might switch out for a pfSense.