Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Has anyone got a VPN to a Draytek working?

    IPsec
    5
    36
    15.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Are you using an especially long PreSharedKey? The maximum ley length is related to auth hash used and you are using SHA1 which limits it to 64B (I think).

      Steve

      1 Reply Last reply Reply Quote 0
      • O
        orangehand
        last edited by

        Changed PSK to 12345, saved and applied at both ends

        Draytek syslog (latest at top):
        2019-02-27 17:41:02 ## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #3373
        2019-02-27 17:41:02 [IPSEC][L2L][6:PFsense][@81.143.205.132] IKE link timeout: state linking
        2019-02-27 17:40:54 IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x12ad535f
        2019-02-27 17:40:54 IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x77b5b4a4
        2019-02-27 17:40:54 IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x3977f965
        2019-02-27 17:40:54 IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x371c750d
        2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR2 : Can't decrypt message
        2019-02-27 17:40:49 ## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1848
        2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_AUTHENTICATION_FAILED[24]
        2019-02-27 17:40:49 ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 81.143.205.132, Peer is IKEv2 Responder
        2019-02-27 17:40:49 ## IKEv2 DBG : Process Packet : #3373 IKE SA Established, REPLACE after 21150 seconds
        2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Create Child SA #3374, IKE SA is #3373
        2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify [16404], ignore it
        2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
        2019-02-27 17:40:49 ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
        2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify [16404]
        2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
        2019-02-27 17:40:49 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
        2019-02-27 17:40:49 ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Reply from 81.143.205.132, Peer is IKEv2 Responder
        2019-02-27 17:40:49 ## IKEv2 DBG : IKESA outI1 : Create IKE SA #3373 Profile Index 0
        2019-02-27 17:40:49 Dialing Node6 (PFsense) : 81.143.205.132
        2019-02-27 17:40:46 ## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #3371
        2019-02-27 17:40:46 [IPSEC][L2L][6:PFsense][@81.143.205.132] IKE link timeout: state linking
        2019-02-27 17:40:33 ## IKEv2 DBG : IKESA inR2 : Can't decrypt message
        2019-02-27 17:40:33 ## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1848
        2019-02-27 17:40:33 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_AUTHENTICATION_FAILED[24]
        2019-02-27 17:40:33 ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply from 81.143.205.132, Peer is IKEv2 Responder
        2019-02-27 17:40:33 ## IKEv2 DBG : Process Packet : #3371 IKE SA Established, REPLACE after 21572 seconds
        2019-02-27 17:40:33 ## IKEv2 DBG : IKESA inR1_outI2 : Create Child SA #3372, IKE SA is #3371

        pfSense log:
        Feb 27 17:42:27 charon 15[CFG] <31333> looking for an IKEv2 config for 81.143.205.132...88.97.12.47
        Feb 27 17:42:27 charon 15[CFG] <31333> candidate: %any...%any, prio 24
        Feb 27 17:42:27 charon 15[CFG] <31333> candidate: 81.143.205.132...88.97.12.47, prio 3100
        Feb 27 17:42:27 charon 15[CFG] <31333> found matching ike config: 81.143.205.132...88.97.12.47 with prio 3100
        Feb 27 17:42:27 charon 15[IKE] <31333> 88.97.12.47 is initiating an IKE_SA
        Feb 27 17:42:27 charon 15[IKE] <31333> IKE_SA (unnamed)[31333] state change: CREATED => CONNECTING
        Feb 27 17:42:27 charon 15[CFG] <31333> selecting proposal:
        Feb 27 17:42:27 charon 15[CFG] <31333> proposal matches
        Feb 27 17:42:27 charon 15[CFG] <31333> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Feb 27 17:42:27 charon 15[CFG] <31333> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Feb 27 17:42:27 charon 15[CFG] <31333> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Feb 27 17:42:27 charon 15[ENC] <31333> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
        Feb 27 17:42:27 charon 15[NET] <31333> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (312 bytes)
        Feb 27 17:42:27 charon 15[NET] <31333> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (204 bytes)
        Feb 27 17:42:27 charon 15[ENC] <31333> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
        Feb 27 17:42:27 charon 15[CFG] <31333> looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
        Feb 27 17:42:27 charon 15[CFG] <31333> candidate "bypasslan", match: 1/1/24 (me/other/ike)
        Feb 27 17:42:27 charon 15[CFG] <31333> candidate "con3000", match: 1/20/3100 (me/other/ike)
        Feb 27 17:42:27 charon 15[CFG] <31333> ignore candidate 'bypasslan' without matching IKE proposal
        Feb 27 17:42:27 charon 15[CFG] <con3000|31333> selected peer config 'con3000'
        Feb 27 17:42:27 charon 15[IKE] <con3000|31333> tried 1 shared key for '%any' - '88.97.12.47', but MAC mismatched
        Feb 27 17:42:27 charon 15[ENC] <con3000|31333> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
        Feb 27 17:42:27 charon 15[NET] <con3000|31333> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
        Feb 27 17:42:27 charon 15[IKE] <con3000|31333> IKE_SA con3000[31333] state change: CONNECTING => DESTROYING
        Feb 27 17:42:43 charon 15[NET] <31334> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (288 bytes)
        Feb 27 17:42:43 charon 15[ENC] <31334> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
        Feb 27 17:42:43 charon 15[CFG] <31334> looking for an IKEv2 config for 81.143.205.132...88.97.12.47
        Feb 27 17:42:43 charon 15[CFG] <31334> candidate: %any...%any, prio 24
        Feb 27 17:42:43 charon 15[CFG] <31334> candidate: 81.143.205.132...88.97.12.47, prio 3100
        Feb 27 17:42:43 charon 15[CFG] <31334> found matching ike config: 81.143.205.132...88.97.12.47 with prio 3100
        Feb 27 17:42:43 charon 15[IKE] <31334> 88.97.12.47 is initiating an IKE_SA
        Feb 27 17:42:43 charon 15[IKE] <31334> IKE_SA (unnamed)[31334] state change: CREATED => CONNECTING
        Feb 27 17:42:43 charon 15[CFG] <31334> selecting proposal:
        Feb 27 17:42:43 charon 15[CFG] <31334> proposal matches
        Feb 27 17:42:43 charon 15[CFG] <31334> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Feb 27 17:42:43 charon 15[CFG] <31334> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Feb 27 17:42:43 charon 15[CFG] <31334> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
        Feb 27 17:42:43 charon 15[ENC] <31334> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
        Feb 27 17:42:43 charon 15[NET] <31334> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (312 bytes)
        Feb 27 17:42:43 charon 15[NET] <31334> received packet: from 88.97.12.47[500] to 81.143.205.132[500] (204 bytes)
        Feb 27 17:42:43 charon 15[ENC] <31334> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
        Feb 27 17:42:43 charon 15[CFG] <31334> looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]
        Feb 27 17:42:43 charon 15[CFG] <31334> candidate "bypasslan", match: 1/1/24 (me/other/ike)
        Feb 27 17:42:43 charon 15[CFG] <31334> candidate "con3000", match: 1/20/3100 (me/other/ike)
        Feb 27 17:42:43 charon 15[CFG] <31334> ignore candidate 'bypasslan' without matching IKE proposal
        Feb 27 17:42:43 charon 15[CFG] <con3000|31334> selected peer config 'con3000'
        Feb 27 17:42:43 charon 15[IKE] <con3000|31334> tried 1 shared key for '%any' - '88.97.12.47', but MAC mismatched
        Feb 27 17:42:43 charon 15[ENC] <con3000|31334> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
        Feb 27 17:42:43 charon 15[NET] <con3000|31334> sending packet: from 81.143.205.132[500] to 88.97.12.47[500] (76 bytes)
        Feb 27 17:42:43 charon 15[IKE] <con3000|31334> IKE_SA con3000[31334] state change: CONNECTING => DESTROYING

        1 Reply Last reply Reply Quote 0
        • O
          orangehand
          last edited by

          Sorry - missed your key length Q; no - previous psk was testtest - the last logs were 12345

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm, curious.

            Is this the only tunnel at each end?

            Does either end have more than one WAN?

            Can we see the config at the pfSense end?

            Steve

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              @orangehand said in Has anyone got a VPN to a Draytek working?:

              looking for peer configs matching 81.143.205.132[%any]...88.97.12.47[88.97.12.47]

              Ok in fact this could be an identifier issue. It looks like the Draytek is sending 'any' as the identifier for pfSense. What is it actually set to in pfSense?

              I don't see a place to specify a peer ID in the Draytek settings other than the 'dial-in' section but you might try adding it there.

              Steve

              1 Reply Last reply Reply Quote 0
              • O
                orangehand
                last edited by

                1_1551337595626_Screenshot 2019-02-28 07.04.40.png 0_1551337595623_Screenshot 2019-02-28 07.03.07.png

                1 Reply Last reply Reply Quote 0
                • O
                  orangehand
                  last edited by

                  In dial in settings you mean the username field? What would I put there please?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Ok the Draytek is sending it's own IP as an identifier but 'any' for the pfSense end. So in pfSense it should be the opposite; 'any' for My Identifier and 'peer IP' for Peer Identifier.

                    But better would be to set an Identifier in the Draytek. The only place in the screenshot I see to do that is the 'Peer ID' filed in the dial-in settings. Try that. See if it changes what is shown in the pfSense logs. You want it to show:
                    looking for peer configs matching 81.143.205.132[81.143.205.132]...88.97.12.47[88.97.12.47]

                    Then set My IP and Peer IP as the identifiers in pfSense to match.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • O
                      orangehand
                      last edited by

                      That worked, many many thanks Steve

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ah, great. Were you able to get the Draytek to send an IP as identifier or did you have to stick with 'any' as the local identifier in pfSense?

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • O
                          orangehand
                          last edited by

                          pfSense (my) end I used My identifier: My IP Address and Peer Identifier: Peer IP address
                          Would you like full screenshots for reference?

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes please. Might be helpful for someone else in the future.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • O
                              orangehand
                              last edited by

                              4_1551808765601_pfSense IPSec to Draytek 2860 P2.png 3_1551808765601_Draytek 2860 IPSec to pfSense-1.png 2_1551808765600_Draytek 2860 IPSec to pfSense-2.png 1_1551808765600_Draytek 2860 IPSec to pfSense-adv.png 0_1551808765600_pfSense IPSec to Draytek 2860 P1.png

                              1 Reply Last reply Reply Quote 2
                              • T
                                tech_support_
                                last edited by tech_support_

                                Hi all

                                I'm trying to setup a lan-to-lan VPN between Draytek and pfsense using IPSec, but I can't get it to work

                                I've copied the configuration suggested by orangehand on both ends, with no luck.
                                The only differences with orangehand's setup is that on the Draytek side I've set the call direction to dial-out, as I need the channel constantly on, and on the pfsense side, in the 'remote gateway' field I've set the external IP of the Draytek, not the FQDN, as I don't have a DDNS set up.

                                Is there a complete guide on how to set this up, as I can't find a great deal on it online?

                                Thanks

                                Log details:

                                Dec 31 11:52:02 charon 10[IKE] <bypasslan|255> IKE_SA bypasslan[255] state change: CONNECTING => DESTROYING
                                Dec 31 11:52:02 charon 10[NET] <bypasslan|255> sending packet: from (pfsense_wan) [4500] to 1(draytek_wan)[7440] (76 bytes)
                                Dec 31 11:52:02 charon 10[ENC] <bypasslan|255> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
                                Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> no alternative config found
                                Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> selected peer config 'bypasslan' unacceptable: non-matching authentication done
                                Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> constraint requires public key authentication, but pre-shared key was used
                                Dec 31 11:52:02 charon 10[IKE] <bypasslan|255> authentication of '(draytek_lan)' with pre-shared key successful
                                Dec 31 11:52:02 charon 10[CFG] <bypasslan|255> selected peer config 'bypasslan'

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  If you see it selecting bypasslan like that it's because no other config matches. You have a mismatch there. Do you have a more complete log?

                                  Steve

                                  T 1 Reply Last reply Reply Quote 0
                                  • T
                                    tech_support_ @stephenw10
                                    last edited by

                                    @stephenw10

                                    Dec 31 12:23:34 charon 10[IKE] <bypasslan|373> IKE_SA bypasslan[373] state change: CONNECTING => DESTROYING
                                    Dec 31 12:23:34 charon 10[NET] <bypasslan|373> sending packet: from (pfsense-wan)[4500] to (draytek-wan)[7440] (76 bytes)
                                    Dec 31 12:23:34 charon 10[ENC] <bypasslan|373> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
                                    Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> no alternative config found
                                    Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> selected peer config 'bypasslan' unacceptable: non-matching authentication done
                                    Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> constraint requires public key authentication, but pre-shared key was used
                                    Dec 31 12:23:34 charon 10[IKE] <bypasslan|373> authentication of '(draytek-lan)' with pre-shared key successful
                                    Dec 31 12:23:34 charon 10[CFG] <bypasslan|373> selected peer config 'bypasslan'
                                    Dec 31 12:23:34 charon 10[CFG] <373> candidate "bypasslan", match: 1/1/24 (me/other/ike)
                                    Dec 31 12:23:34 charon 10[CFG] <373> looking for peer configs matching (pfsense-wan)[%any]...(draytek-wan)[192.168.100.12]
                                    Dec 31 12:23:34 charon 10[ENC] <373> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]
                                    Dec 31 12:23:34 charon 10[NET] <373> received packet: from (draytek-wan)[7440] to (pfsense-wan)[4500] (204 bytes)
                                    Dec 31 12:23:34 charon 10[NET] <373> sending packet: from (pfsense-wan)[500] to (draytek-wan)[7244] (440 bytes)
                                    Dec 31 12:23:34 charon 10[ENC] <373> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
                                    Dec 31 12:23:34 charon 10[IKE] <373> remote host is behind NAT
                                    Dec 31 12:23:34 charon 10[CFG] <373> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
                                    Dec 31 12:23:34 charon 10[CFG] <373> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
                                    Dec 31 12:23:34 charon 10[CFG] <373> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
                                    Dec 31 12:23:34 charon 10[CFG] <373> proposal matches
                                    Dec 31 12:23:34 charon 10[CFG] <373> selecting proposal:
                                    Dec 31 12:23:34 charon 10[IKE] <373> IKE_SA (unnamed)[373] state change: CREATED => CONNECTING
                                    Dec 31 12:23:34 charon 10[IKE] <373> (draytek-wan) is initiating an IKE_SA
                                    Dec 31 12:23:34 charon 10[CFG] <373> found matching ike config: (pfsense-wan)...(draytek-wan) with prio 3100
                                    Dec 31 12:23:34 charon 10[CFG] <373> candidate: (pfsense-wan)...(draytek-wan), prio 3100
                                    Dec 31 12:23:34 charon 10[CFG] <373> candidate: %any...%any, prio 24
                                    Dec 31 12:23:34 charon 10[CFG] <373> looking for an IKEv2 config for (pfsense-wan)...(draytek-wan)
                                    Dec 31 12:23:34 charon 10[ENC] <373> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
                                    Dec 31 12:23:34 charon 10[NET] <373> received packet: from (draytek-wan)[7244] to (pfsense-wan)[500] (416 bytes)
                                    Dec 31 12:23:32 ipsec_starter 36044 'con1000' routed
                                    Dec 31 12:23:32 charon 06[CHD] CHILD_SA con1000{2651} state change: CREATED => ROUTED
                                    Dec 31 12:23:32 charon 06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ
                                    Dec 31 12:23:32 charon 06[CFG] received stroke: route 'con1000'
                                    Dec 31 12:23:32 charon 07[CFG] added configuration 'con1000'
                                    Dec 31 12:23:32 charon 07[CFG] keyexchange=ikev2
                                    Dec 31 12:23:32 charon 07[CFG] mediation=no
                                    Dec 31 12:23:32 charon 07[CFG] sha256_96=no
                                    Dec 31 12:23:32 charon 07[CFG] dpdaction=3
                                    Dec 31 12:23:32 charon 07[CFG] dpdtimeout=60
                                    Dec 31 12:23:32 charon 07[CFG] dpddelay=10
                                    Dec 31 12:23:32 charon 07[CFG] esp=aes256-sha1-modp1024,aes256-sha256-modp1024,aes128gcm128-sha1-modp1024,aes128gcm128-sha256-modp1024,aes256gcm128-sha1-modp1024,aes256gcm128-sha256-modp1024,aes256gcm96-sha1-modp1024,aes256gcm96-sha256-modp1024,aes256gcm64-sha1-modp1024,aes256gcm64-sha256-modp1024!
                                    Dec 31 12:23:32 charon 07[CFG] ike=aes256-sha1-modp2048!
                                    Dec 31 12:23:32 charon 07[CFG] rightid=(draytek-wan)
                                    Dec 31 12:23:32 charon 07[CFG] rightauth=psk
                                    Dec 31 12:23:32 charon 07[CFG] rightsubnet=(draytek-lan)/24
                                    Dec 31 12:23:32 charon 07[CFG] right=(draytek-wan)
                                    Dec 31 12:23:32 charon 07[CFG] leftid=(pfsense-wan)
                                    Dec 31 12:23:32 charon 07[CFG] leftauth=psk
                                    Dec 31 12:23:32 charon 07[CFG] leftsubnet=(pfsense-lan)/24
                                    Dec 31 12:23:32 charon 07[CFG] left=(pfsense-wan)
                                    Dec 31 12:23:32 charon 07[CFG] conn con1000
                                    Dec 31 12:23:32 charon 07[CFG] received stroke: add connection 'con1000'
                                    Dec 31 12:23:32 ipsec_starter 36044 'bypasslan' shunt PASS policy installed
                                    Dec 31 12:23:32 charon 06[CFG] received stroke: route 'bypasslan'
                                    Dec 31 12:23:32 charon 08[CFG] added configuration 'bypasslan'
                                    Dec 31 12:23:32 charon 08[CFG] mediation=no
                                    Dec 31 12:23:32 charon 08[CFG] sha256_96=no
                                    Dec 31 12:23:32 charon 08[CFG] dpdtimeout=150
                                    Dec 31 12:23:32 charon 08[CFG] dpddelay=30
                                    Dec 31 12:23:32 charon 08[CFG] rightsubnet=(pfsense-lan)/24
                                    Dec 31 12:23:32 charon 08[CFG] right=%any
                                    Dec 31 12:23:32 charon 08[CFG] leftsubnet=(pfsense-lan)/24
                                    Dec 31 12:23:32 charon 08[CFG] left=%any
                                    Dec 31 12:23:32 charon 08[CFG] conn bypasslan
                                    Dec 31 12:23:32 charon 08[CFG] received stroke: add connection 'bypasslan'
                                    Dec 31 12:23:32 charon 06[CFG] deleted connection 'con1000'
                                    Dec 31 12:23:32 charon 06[CFG] received stroke: delete connection 'con1000'
                                    Dec 31 12:23:32 ipsec_starter 36044 trap policy 'con1000' unrouted
                                    Dec 31 12:23:32 charon 08[CHD] CHILD_SA con1000{2650} state change: ROUTED => DESTROYING
                                    Dec 31 12:23:32 charon 08[CFG] received stroke: unroute 'con1000'
                                    Dec 31 12:23:32 charon 06[CFG] deleted connection 'bypasslan'
                                    Dec 31 12:23:32 charon 06[CFG] received stroke: delete connection 'bypasslan'
                                    Dec 31 12:23:32 ipsec_starter 36044 shunt policy 'bypasslan' uninstalled
                                    Dec 31 12:23:32 charon 05[CFG] received stroke: unroute 'bypasslan'
                                    Dec 31 12:23:32 charon 07[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
                                    Dec 31 12:23:32 charon 07[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
                                    Dec 31 12:23:32 charon 07[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
                                    Dec 31 12:23:32 charon 07[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
                                    Dec 31 12:23:32 charon 07[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
                                    Dec 31 12:23:32 charon 07[CFG] loaded IKE secret for %any (draytek-wan)
                                    Dec 31 12:23:32 charon 07[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
                                    Dec 31 12:23:32 charon 07[CFG] rereading secrets
                                    Dec 31 12:23:20 ipsec_starter 36044 'con1000' routed
                                    Dec 31 12:23:20 charon 08[CHD] CHILD_SA con1000{2650} state change: CREATED => ROUTED
                                    Dec 31 12:23:20 charon 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ
                                    Dec 31 12:23:20 charon 08[CFG] received stroke: route 'con1000'
                                    Dec 31 12:23:20 charon 07[CFG] added configuration 'con1000'
                                    Dec 31 12:23:20 charon 07[CFG] keyexchange=ikev2
                                    Dec 31 12:23:20 charon 07[CFG] mediation=no
                                    Dec 31 12:23:20 charon 07[CFG] sha256_96=no
                                    Dec 31 12:23:20 charon 07[CFG] dpdaction=3
                                    Dec 31 12:23:20 charon 07[CFG] dpdtimeout=60
                                    Dec 31 12:23:20 charon 07[CFG] dpddelay=10
                                    Dec 31 12:23:20 charon 07[CFG] esp=aes256-sha1-modp1024,aes256-sha256-modp1024,aes128gcm128-sha1-modp1024,aes128gcm128-sha256-modp1024,aes256gcm128-sha1-modp1024,aes256gcm128-sha256-modp1024,aes256gcm96-sha1-modp1024,aes256gcm96-sha256-modp1024,aes256gcm64-sha1-modp1024,aes256gcm64-sha256-modp1024!
                                    Dec 31 12:23:20 charon 07[CFG] ike=aes256-sha1-modp2048!
                                    Dec 31 12:23:20 charon 07[CFG] rightid=(draytek-wan)
                                    Dec 31 12:23:20 charon 07[CFG] rightauth=psk
                                    Dec 31 12:23:20 charon 07[CFG] rightsubnet=(draytek-lan)/24
                                    Dec 31 12:23:20 charon 07[CFG] right=(draytek-wan)
                                    Dec 31 12:23:20 charon 07[CFG] leftid=(pfsense-wan)
                                    Dec 31 12:23:20 charon 07[CFG] leftauth=psk
                                    Dec 31 12:23:20 charon 07[CFG] leftsubnet=(pfsense-lan)/24
                                    Dec 31 12:23:20 charon 07[CFG] left=(pfsense-wan)
                                    Dec 31 12:23:20 charon 07[CFG] conn con1000
                                    Dec 31 12:23:20 charon 07[CFG] received stroke: add connection 'con1000'
                                    Dec 31 12:23:20 ipsec_starter 36044 'bypasslan' shunt PASS policy installed
                                    Dec 31 12:23:20 charon 06[CFG] received stroke: route 'bypasslan'
                                    Dec 31 12:23:20 charon 08[CFG] added configuration 'bypasslan'
                                    Dec 31 12:23:20 charon 08[CFG] mediation=no
                                    Dec 31 12:23:20 charon 08[CFG] sha256_96=no
                                    Dec 31 12:23:20 charon 08[CFG] dpdtimeout=150
                                    Dec 31 12:23:20 charon 08[CFG] dpddelay=30
                                    Dec 31 12:23:20 charon 08[CFG] rightsubnet=(pfsense-lan)/24
                                    Dec 31 12:23:20 charon 08[CFG] right=%any
                                    Dec 31 12:23:20 charon 08[CFG] leftsubnet=(pfsense-lan)/24
                                    Dec 31 12:23:20 charon 08[CFG] left=%any
                                    Dec 31 12:23:20 charon 08[CFG] conn bypasslan
                                    Dec 31 12:23:20 charon 08[CFG] received stroke: add connection 'bypasslan'
                                    Dec 31 12:23:20 charon 06[CFG] deleted connection 'con1000'
                                    Dec 31 12:23:20 charon 06[CFG] received stroke: delete connection 'con1000'
                                    Dec 31 12:23:20 ipsec_starter 36044 trap policy 'con1000' unrouted
                                    Dec 31 12:23:20 charon 08[CHD] CHILD_SA con1000{2649} state change: ROUTED => DESTROYING
                                    Dec 31 12:23:20 charon 08[CFG] received stroke: unroute 'con1000'
                                    Dec 31 12:23:20 charon 05[CFG] deleted connection 'bypasslan'
                                    Dec 31 12:23:20 charon 05[CFG] received stroke: delete connection 'bypasslan'
                                    Dec 31 12:23:20 ipsec_starter 36044 shunt policy 'bypasslan' uninstalled
                                    Dec 31 12:23:20 charon 06[CFG] received stroke: unroute 'bypasslan'
                                    Dec 31 12:23:20 charon 08[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
                                    Dec 31 12:23:20 charon 08[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
                                    Dec 31 12:23:20 charon 08[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
                                    Dec 31 12:23:20 charon 08[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
                                    Dec 31 12:23:20 charon 08[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
                                    Dec 31 12:23:20 charon 08[CFG] loaded IKE secret for %any 1(draytek-wan)
                                    Dec 31 12:23:20 charon 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
                                    Dec 31 12:23:20 charon 08[CFG] rereading secrets

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      @tech_support_ said in Has anyone got a VPN to a Draytek working?:

                                      Dec 31 12:23:34 charon 10[CFG] <373> looking for peer configs matching (pfsense-wan)[%any]...(draytek-wan)[192.168.100.12]

                                      The Draytek is sending it's internal IP as the indentifier. So if pfSense is set to use 'Peer IP Address' that will be the public IP and will not match. Either set the Draytek to send it's public IP as it's identifer or set pfSense to use 'IP Address (192.168.100.12)' as the peer identifier.

                                      Steve

                                      T 1 Reply Last reply Reply Quote 0
                                      • T
                                        tech_support_ @stephenw10
                                        last edited by

                                        @stephenw10 said in Has anyone got a VPN to a Draytek working?:

                                        192.168.100.12

                                        That was it, you're a legend!

                                        A happy new year to you Steve

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          And to you. 😁

                                          P 1 Reply Last reply Reply Quote 0
                                          • P
                                            Prashobcv93 @stephenw10
                                            last edited by

                                            @stephenw10 ,
                                            I have a similar issue when building a tunnel from ASA to Draytek 2862 with firmware version 3.9.4.1.

                                            Logs showing IKE link timeout: state linking.

                                            Tunnel is IKEv1.
                                            VPN configs are similar.
                                            PSK confirmed multiple times.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.