How To Establish a Dial Out IPSec VPN from a Draytek Vigor Router to a Cyberoam UTM

Published:
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance.

A concise guide to the settings required on both devices
Draytek/Cyberoam  Tech Note
Draytek Technote
Cyberoam Technote
Found this Technote and was hopeful it would work.
It doesn't, It is somewhat dated, 8 years old.
The Cyberoam interface is now quite different from that in the article.

The problem is with PFS.
The note implies it should be disabled on the Cyberoam
There is no setting to do this in current models
It appears that PFS is permanently ENABLED
PFS MUST Be enabled on the Draytek else the VPN Fails
Here is the set-up required

CYBEROAM CONFIGURATION


VPN > Policy


General Settings


Name = Draytek
    Allow Re-Keying = Enable
Key Neg = 3
Authentication Mode = Main Mode
One or both ends with Fixed IPs. Tested with one Fixed & One Variable ADSL
DynDNS setup on ADSL


Compression = Enabled

Phase 1


Encryption = AES128    Auth = SHA1

Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended


DH Group = 2(DH1024)
Key Life = 3600
Dead Peer Detection (DPD)

Not need for Dial In on Demand VPN
Might be useful for Permanent Site to Site VPN

Phase 2


Encryption AES128    Auth SHA1

PFS(DH) group = Same as Phase1
The Mention of PFS suggests that PFS is Enabled
Confirmed by Test - Must Enable PFS on Draytek Advanced Security Tab
VPN Fails if PFS is NOT enabled

Keylife = 3600
 

VPN > IPSec Connection



Connection Profile
Name = Dial_In_On_Demand
Connection = Site to Site
Policy = Draytek
Action on VPN Restart = Respond Only

IE: Wait for Incoming Connection - Dial In from Draytek Router


Authentication = Preshared Key = A Good Secure Phrase

EndPoint Details

Local = Select WAN Port X (Public IP)
Remote = DynDNSName of Draytek Router

* will allow ANY IP to connect (Useful for setup & Testing
However it is probably a good idea specify the remote Gateway to prevent Hacking / Spoofing
Use IP Address or DNS Name for Fixed Public IPS
A DYNDNS name Works for a Variable IP Address


Local Network Details

Local Subnet - Local Lan Network Address EG 192.168.1.0/24
Local ID - Choose Select Local ID - Leave Blank


Remote Network Details

Allow Nat Traversal - not, if both ends have public IP
Remote LAN Network = Network Address of LAN behind Remote Draytek Router
EG 172.16.10.0/24
Remote ID - Choose Select Remote ID and leave blank


User Authentication - Default
Quick Mode Selectors - Default
Advanced - Default

 

DRAYTEK CONFIG


VPN > Remote Access Control > Enable IPSec
Lan to Lan > Profile

1.Common Settings

Name = Cyberoam-DialOut
Enable
Dial Out through Wan1 First (or as per the WAN Setup)
Call Direction - Dial Out
Idle Time out = 300 Sec   (Always On for setup & Testing)


2. Dial Out Settings

IPSec Tunnel
VPN Server/Gateway/Host = IP or HostName of Cyberoam WAN Port
IKE Authentication
Pre-Shared Key = The SAME Good Secure Phrase
IPSec Security Method = High(ESP) (AES with Authentication)
Click Advanced
IKE Phase 1 = Main Mode
IKE Phase 1 Proposal = AES128_SHA1_G2
Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended


IKE Phase 2 Proposal = AES128 SHA1 / MD5
IKE Phase 1 Key Lifetime = 3600
IKE Phase 2 Key Lifetime = 3600
Perfect Forward Secret = Enable
PFS is permanenetly enabled on Cyberoam
VPN will Fail if not enabled on Draytek

Local ID - Leave Blank

If these don't work Try AUTO - Tries a whole bunch - See Note on Config Page


3. Dial In Settings

N/A


4. TCP/IP Network Settings

My Wan IP = Default = 0.0.0.0  (Only needed for ISDN, PPTP & L2TP)
Remote Gateway IP = Default = 0.0.0.0.  (Only needed for ISDN, PPTP & L2TP)
Remote Network IP = EG 192.168.1.0/24
Appears that Either the Lan Port IP or Network IP of the LAN behind the Cyberoam are acceptable

Local Network IP = EG 172.16.10.0/24        Private Network IP of Local Site

RIP  = Optional - set as desired
Subnet = Route  Most Site to SIte VPNs will be Routed

 

CONNECTION ATTEMPTS & LOGS

On the Draytek, Initiate the VPN connection, & Monitor Diagnostics > SysLog > VPN

Example of a successful Log
 
Dialing Node28 (Cyberoam-DialOut) : RRR.RRR.RRR.RRR
                      Initiating IKE Main Mode to RRR.RRR.RRR.RRR
                      IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
                      IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
                      IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
                      IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
                      NAT-Traversal: Using RFC 3947, no NAT detected
                      IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
                      IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
                      ISAKMP SA #5736 will be replaced after 2475 seconds
                      ISAKMP SA established with v. In/Out Index: 0/-28
                      
                      Phase 1 SA Established
                      
                      Start IKE Quick Mode to RRR.RRR.RRR.RRR
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
                      Client L2L remote network setting is 192.168.0.0/24
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
                      IPsec SA #5737 will be replaced after 2996 seconds
                      sent QI2, IPsec SA established with RRR.RRR.RRR.RRR. In/Out Index: 0/-28
                      
                      Phase 2 SA Established
                      
                      [L2L][UP][IPSec][@28:Cyberoam-DialOut]
                      
                      Link UP  
                      
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xdf90e916
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x490a3747
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x819ee015
                      Receive client L2L remote network setting is LLL.LLL.LLL.LLL
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc08264d5
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xa61eef62
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x102cbb83
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8739c98c
                      NAT GRE session 47501 time out, las time = 341208950 ...
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x4ccc0d2e
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x42c9e8d1
                      IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x977463db
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x1563065c
                      IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9b684603
                      Receive client L2L remote network setting is LLL.LLL.LLL.LLL
                      

Open in new window

1
8,178 Views

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.