Draytek - setting up IPsec client

robina80

hi all.

i have set up the IPsec server on my pfsense and can connect to it using my mobile using 3G no problem

but trouble is on the draytek when i want to create a IPsec client, i cant as is doesnt ask me anywhere on the configuration page to enter a username password (it is greyed out), it asks for the pre shared key which is good but not the username password

does anyone know how you can do it please

many thanks

rob

jeffstu

I used this guide to help me set up my draytek to my pfsense instance

http://www.draytek.co.uk/support/guides/kb-lantolan-ipsec

If your doing a LAN to LAN tunnel you shouldn't need a username and password,
Just a pre-shared key

Stu

robina80

dont worry i have set up L2TP/IPsec server on my pfsense firewall and i have set up L2TP/IPsec client on the draytek router and it works

robina80

it connects as i can see it in status > ipsec but it connects briefly, here are the logs for ipsec, if anyone would help me out as i dont understand it

Oct 27 15:39:03 charon: 08[IKE] <con1|196>received retransmit of request with ID 2722601540, but no response to retransmit
Oct 27 15:39:03 charon: 08[IKE] <con1|196>received retransmit of request with ID 2722601540, but no response to retransmit
Oct 27 15:39:07 charon: 08[NET] <con1|196>received packet: from 217.138.11.250[4500] to 193.203.70.61[4500] (92 bytes)
Oct 27 15:39:07 charon: 08[ENC] <con1|196>parsed INFORMATIONAL_V1 request 4068196451 [ HASH D ]
Oct 27 15:39:07 charon: 08[IKE] <con1|196>received DELETE for IKE_SA con1[196]
Oct 27 15:39:07 charon: 08[IKE] <con1|196>received DELETE for IKE_SA con1[196]
Oct 27 15:39:07 charon: 08[IKE] <con1|196>deleting IKE_SA con1[196] between 193.203.70.61[193.203.70.61]…217.138.11.250[ipsec@molinare.co.uk]
Oct 27 15:39:07 charon: 08[IKE] <con1|196>deleting IKE_SA con1[196] between 193.203.70.61[193.203.70.61]…217.138.11.250[ipsec@molinare.co.uk]
Oct 27 15:39:10 charon: 11[NET] <197> received packet: from 217.138.11.250[500] to 193.203.70.61[500] (492 bytes)
Oct 27 15:39:10 charon: 11[ENC] <197> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Oct 27 15:39:10 charon: 11[IKE] <197> received DPD vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received DPD vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received NAT-T (RFC 3947) vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received NAT-T (RFC 3947) vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Oct 27 15:39:10 charon: 11[IKE] <197> 217.138.11.250 is initiating a Aggressive Mode IKE_SA
Oct 27 15:39:10 charon: 11[IKE] <197> 217.138.11.250 is initiating a Aggressive Mode IKE_SA
Oct 27 15:39:10 charon: 11[CFG] <197> looking for pre-shared key peer configs matching 193.203.70.61…217.138.11.250[ipsec@molinare.co.uk]
Oct 27 15:39:10 charon: 11[CFG] <197> selected peer config "con1"
Oct 27 15:39:10 charon: 11[ENC] <con1|197>generating AGGRESSIVE response 0 [ SA KE No ID NAT-D NAT-D HASH V V V V ]
Oct 27 15:39:10 charon: 11[NET] <con1|197>sending packet: from 193.203.70.61[500] to 217.138.11.250[500] (408 bytes)
Oct 27 15:39:10 charon: 07[NET] <con1|197>received packet: from 217.138.11.250[4500] to 193.203.70.61[4500] (100 bytes)
Oct 27 15:39:10 charon: 07[ENC] <con1|197>parsed AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Oct 27 15:39:10 charon: 07[IKE] <con1|197>IKE_SA con1[197] established between 193.203.70.61[193.203.70.61]…217.138.11.250[ipsec@molinare.co.uk]
Oct 27 15:39:10 charon: 07[IKE] <con1|197>IKE_SA con1[197] established between 193.203.70.61[193.203.70.61]…217.138.11.250[ipsec@molinare.co.uk]
Oct 27 15:39:10 charon: 07[IKE] <con1|197>scheduling reauthentication in 2608s
Oct 27 15:39:10 charon: 07[IKE] <con1|197>scheduling reauthentication in 2608s
Oct 27 15:39:10 charon: 07[IKE] <con1|197>maximum IKE_SA lifetime 3148s
Oct 27 15:39:10 charon: 07[IKE] <con1|197>maximum IKE_SA lifetime 3148s
Oct 27 15:39:10 charon: 07[IKE] <con1|197>local host is behind NAT, sending keep alives
Oct 27 15:39:10 charon: 07[IKE] <con1|197>local host is behind NAT, sending keep alives
Oct 27 15:39:10 charon: 07[NET] <con1|197>received packet: from 217.138.11.250[4500] to 193.203.70.61[4500] (172 bytes)
Oct 27 15:39:10 charon: 07[ENC] <con1|197>parsed QUICK_MODE request 1103200867 [ HASH SA No ID ID ]
Oct 27 15:39:10 charon: 07[IKE] <con1|197>no matching CHILD_SA config found
Oct 27 15:39:10 charon: 07[IKE] <con1|197>no matching CHILD_SA config found
Oct 27 15:39:10 charon: 07[ENC] <con1|197>generating INFORMATIONAL_V1 request 797536767 [ HASH N(INVAL_ID) ]
Oct 27 15:39:10 charon: 07[NET] <con1|197>sending packet: from 193.203.70.61[4500] to 217.138.11.250[4500] (76 bytes)
Oct 27 15:39:13 charon: 13[NET] <con1|197>received packet: from 217.138.11.250[4500] to 193.203.70.61[4500] (172 bytes)
Oct 27 15:39:13 charon: 13[IKE] <con1|197>received retransmit of request with ID 1103200867, but no response to retransmit
Oct 27 15:39:13 charon: 13[IKE] <con1|197>received retransmit of request with ID 1103200867, but no response to retransmit
Oct 27 15:39:19 charon: 10[NET] <con1|197>received packet: from 217.138.11.250[4500] to 193.203.70.61[4500] (172 bytes)
Oct 27 15:39:19 charon: 10[IKE] <con1|197>received retransmit of request with ID 1103200867, but no response to retransmit
Oct 27 15:39:19 charon: 10[IKE] <con1|197>received retransmit of request with ID 1103200867, but no response to retransmit</con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|197></con1|196></con1|196></con1|196></con1|196></con1|196></con1|196></con1|196></con1|196>

gerdesj

Some notes on wiring up a Draytek to pfSense (I have lots of them):

Drayteks only support IKEv1. IP identifiers only in phase 1 when using PSKs.  However you can use a DNS name to refer to the pfSense box in the dial out settings 
Set the Draytek to dial out only and tick always on.  This is the only reliable way I get them to connect
On some firmware revisions "ping to keep alive" actually means enable DPD and not use ICMP pings.  If you see the tunnel drop after exactly 60 seconds and re establish, disable ping to keep alive on the Draytek
Update the firmware on the Draytek to the latest available
2600 and 2800 are very old and nearly useless nowadays - bin them
A Draytek behind another router (and hence NATed) can have its ID (real external IP) set in the Advanced dialogue box underneath where you set the P1 and P2 algos and hashes
Watch the logs at both ends for clues - there are a lot of parameters.  The Draytek can forward to a remote syslog, as can pfSense.  Don't rely on "magic", get some feedback from them as to what is going on!

Cheers
Jon

robina80

i am doing it another way now, i am just using "mutual PSK" for authentication but i still cant get it to connect

got screenshots incase it helps

ipsec_site.zip