<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

How To Establish a Dial Out IPSec VPN from a Draytek Vigor Router to a Cyberoam UTM

Published on
4,660 Points
1,560 Views
1 Endorsement
Last Modified:
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance.

A concise guide to the settings required on both devices
Draytek/Cyberoam  Tech Note
Draytek Technote
Cyberoam Technote
Found this Technote and was hopeful it would work.
It doesn't, It is somewhat dated, 8 years old.
The Cyberoam interface is now quite different from that in the article.

The problem is with PFS.
The note implies it should be disabled on the Cyberoam
There is no setting to do this in current models
It appears that PFS is permanently ENABLED
PFS MUST Be enabled on the Draytek else the VPN Fails
Here is the set-up required

CYBEROAM CONFIGURATION


VPN > Policy


General Settings


Name = Draytek
    Allow Re-Keying = Enable
Key Neg = 3
Authentication Mode = Main Mode
One or both ends with Fixed IPs. Tested with one Fixed & One Variable ADSL
DynDNS setup on ADSL


Compression = Enabled

Phase 1


Encryption = AES128    Auth = SHA1

Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended


DH Group = 2(DH1024)
Key Life = 3600
Dead Peer Detection (DPD)

Not need for Dial In on Demand VPN
Might be useful for Permanent Site to Site VPN

Phase 2


Encryption AES128    Auth SHA1

PFS(DH) group = Same as Phase1
The Mention of PFS suggests that PFS is Enabled
Confirmed by Test - Must Enable PFS on Draytek Advanced Security Tab
VPN Fails if PFS is NOT enabled

Keylife = 3600
 

VPN > IPSec Connection



Connection Profile
Name = Dial_In_On_Demand
Connection = Site to Site
Policy = Draytek
Action on VPN Restart = Respond Only

IE: Wait for Incoming Connection - Dial In from Draytek Router


Authentication = Preshared Key = A Good Secure Phrase

EndPoint Details

Local = Select WAN Port X (Public IP)
Remote = DynDNSName of Draytek Router

* will allow ANY IP to connect (Useful for setup & Testing
However it is probably a good idea specify the remote Gateway to prevent Hacking / Spoofing
Use IP Address or DNS Name for Fixed Public IPS
A DYNDNS name Works for a Variable IP Address


Local Network Details

Local Subnet - Local Lan Network Address EG 192.168.1.0/24
Local ID - Choose Select Local ID - Leave Blank


Remote Network Details

Allow Nat Traversal - not, if both ends have public IP
Remote LAN Network = Network Address of LAN behind Remote Draytek Router
EG 172.16.10.0/24
Remote ID - Choose Select Remote ID and leave blank


User Authentication - Default
Quick Mode Selectors - Default
Advanced - Default

 

DRAYTEK CONFIG


VPN > Remote Access Control > Enable IPSec
Lan to Lan > Profile

1.Common Settings

Name = Cyberoam-DialOut
Enable
Dial Out through Wan1 First (or as per the WAN Setup)
Call Direction - Dial Out
Idle Time out = 300 Sec  (Always On for setup & Testing)


2. Dial Out Settings

IPSec Tunnel
VPN Server/Gateway/Host = IP or HostName of Cyberoam WAN Port
IKE Authentication
Pre-Shared Key = The SAME Good Secure Phrase
IPSec Security Method = High(ESP) (AES with Authentication)
Click Advanced
IKE Phase 1 = Main Mode
IKE Phase 1 Proposal = AES128_SHA1_G2
Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended


IKE Phase 2 Proposal = AES128 SHA1 / MD5
IKE Phase 1 Key Lifetime = 3600
IKE Phase 2 Key Lifetime = 3600
Perfect Forward Secret = Enable
PFS is permanenetly enabled on Cyberoam
VPN will Fail if not enabled on Draytek

Local ID - Leave Blank

If these don't work Try AUTO - Tries a whole bunch - See Note on Config Page


3. Dial In Settings

N/A


4. TCP/IP Network Settings

My Wan IP = Default = 0.0.0.0  (Only needed for ISDN, PPTP & L2TP)
Remote Gateway IP = Default = 0.0.0.0.  (Only needed for ISDN, PPTP & L2TP)
Remote Network IP = EG 192.168.1.0/24
Appears that Either the Lan Port IP or Network IP of the LAN behind the Cyberoam are acceptable

Local Network IP = EG 172.16.10.0/24        Private Network IP of Local Site

RIP  = Optional - set as desired
Subnet = Route  Most Site to SIte VPNs will be Routed

 

CONNECTION ATTEMPTS & LOGS

On the Draytek, Initiate the VPN connection, & Monitor Diagnostics > SysLog > VPN

Example of a successful Log
 
Dialing Node28 (Cyberoam-DialOut) : RRR.RRR.RRR.RRR
Initiating IKE Main Mode to RRR.RRR.RRR.RRR
IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
NAT-Traversal: Using RFC 3947, no NAT detected
IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
ISAKMP SA #5736 will be replaced after 2475 seconds
ISAKMP SA established with v. In/Out Index: 0/-28

Phase 1 SA Established

Start IKE Quick Mode to RRR.RRR.RRR.RRR
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
Client L2L remote network setting is 192.168.0.0/24
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
IPsec SA #5737 will be replaced after 2996 seconds
sent QI2, IPsec SA established with RRR.RRR.RRR.RRR. In/Out Index: 0/-28

Phase 2 SA Established

[L2L][UP][IPSec][@28:Cyberoam-DialOut]

Link UP  

IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xdf90e916
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x490a3747
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x819ee015
Receive client L2L remote network setting is LLL.LLL.LLL.LLL
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc08264d5
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xa61eef62
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x102cbb83
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8739c98c
NAT GRE session 47501 time out, las time = 341208950 ...
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x4ccc0d2e
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x42c9e8d1
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x977463db
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x1563065c
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9b684603
Receive client L2L remote network setting is LLL.LLL.LLL.LLL

Open in new window

1
Comment
Author:John Gowing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
0 Comments

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Join & Write a Comment

Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month