Kash
asked on
site to site VPN info required
Hi,
I wonder if someone can point me to the right direction.
I am tasked to setup a Lan to Lan VPN setup for a client and I have came across some niggly bits.
Here are the details:
Local Network is
192.168.0.0/24
I need to dial out to a network where the other device is not a draytek (possibly a cisco) and the IT guys over there have provided the following info.
IKE Preshard Key = i have this
Protocol = IPSec
Security Method= High (ESP) without Authentication
IKE Phase1 = AES_SHA1_G2 <<<< is that right
IKE Phase2=AES256
PFS= Disable
Remote Network IP= 172.17.123.40/29
now when I have got most of it configured but when I go to IKE Advanced settings so that I can change IKE Phase 1 Proposal to AES_SHA1_G2, its not there. It surely doesn't work on Auto.
if I keep it on Auto >>> i am getting this in the log
NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike -02/03, no NAT detected
and when I spoke to their IT people, this is what they have said.
To achieve this, typically can be solved with source NAT, natting your real LAN to that subnet before the encryption process.
am I missing something
and when I change it to some manually select IKE phase 1 proposal then I just get this
Initiating IKE Main Mode to IP address
help needed
I wonder if someone can point me to the right direction.
I am tasked to setup a Lan to Lan VPN setup for a client and I have came across some niggly bits.
Here are the details:
Local Network is
192.168.0.0/24
I need to dial out to a network where the other device is not a draytek (possibly a cisco) and the IT guys over there have provided the following info.
IKE Preshard Key = i have this
Protocol = IPSec
Security Method= High (ESP) without Authentication
IKE Phase1 = AES_SHA1_G2 <<<< is that right
IKE Phase2=AES256
PFS= Disable
Remote Network IP= 172.17.123.40/29
now when I have got most of it configured but when I go to IKE Advanced settings so that I can change IKE Phase 1 Proposal to AES_SHA1_G2, its not there. It surely doesn't work on Auto.
if I keep it on Auto >>> i am getting this in the log
NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike
and when I spoke to their IT people, this is what they have said.
To achieve this, typically can be solved with source NAT, natting your real LAN to that subnet before the encryption process.
am I missing something
and when I change it to some manually select IKE phase 1 proposal then I just get this
Initiating IKE Main Mode to IP address
help needed
ASKER
thanks for that.
I am in dialogue with draytek tech support.
the company on the other side has given us an IP subnet with further 3 subnets and they want us to encapsulate(NAT I presume) all the traffic into the allocated network.
they can see us connecting to their network but because the subnets aren't appeared to be NAT'ing, its not letting us through properly.
I am in dialogue with draytek tech support.
the company on the other side has given us an IP subnet with further 3 subnets and they want us to encapsulate(NAT I presume) all the traffic into the allocated network.
they can see us connecting to their network but because the subnets aren't appeared to be NAT'ing, its not letting us through properly.
That's how I have one of mine setup (sonicwall though). I chose one ip, call it 10.10.100.1, and also a /24 subnet and vlan. So anything on that subnet is automatically routed through that gateway through the VPN (which is a group of subnets on their end) and from their end, looks to be coming from that ip. With this setup I can also make a firewall rule to allow any other ip only network get through the VPN as well.
ASKER
you may be able to guide me to the right direction.
Our customers's network is 192.168.0.0/24
they have a fixed WAN IP address from ISP.
They are wanting a Lan-Lan to a company in spain (dialing out) and they have a Cisco router.
The IT at their end has told us to encapsulate all the traffic (our external IP) in to
172.17.123.40/29 network
they have also given us further subnets
172.19.0.0/16
172.20.0.0/16
172.30.0.0/16
they have given us IKE Pass phrase with IKE Phase 1 and Phase 2 settings.
They can see us dialing in but because our external IP is appearing to the router, it is not letting us through.
this is what the error message they have from their logs today.
Apr 3 08:15:32: IPSEC(validate_proposal_re quest): proposal part #1,
(key eng. msg.) INBOUND local=THEIRIP, remote= OURCUSTOMERSIP,
local_proxy= 172.20.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 172.17.123.41/255.255.255. 255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
a. I´m seeing that instead of trying to negotiate /29, your trying with /32.
Our customers's network is 192.168.0.0/24
they have a fixed WAN IP address from ISP.
They are wanting a Lan-Lan to a company in spain (dialing out) and they have a Cisco router.
The IT at their end has told us to encapsulate all the traffic (our external IP) in to
172.17.123.40/29 network
they have also given us further subnets
172.19.0.0/16
172.20.0.0/16
172.30.0.0/16
they have given us IKE Pass phrase with IKE Phase 1 and Phase 2 settings.
They can see us dialing in but because our external IP is appearing to the router, it is not letting us through.
this is what the error message they have from their logs today.
Apr 3 08:15:32: IPSEC(validate_proposal_re
(key eng. msg.) INBOUND local=THEIRIP, remote= OURCUSTOMERSIP,
local_proxy= 172.20.0.0/255.255.0.0/0/0
remote_proxy= 172.17.123.41/255.255.255.
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
a. I´m seeing that instead of trying to negotiate /29, your trying with /32.
yeah, I like /32 as it's like a normal nat router. One ip for the gateway and everything else is hidden.
the googles tell me your /29 is 172.17.123.40 - 172.17.123.47
so that is what you have to choose as your local network to bridge.
In sonicwall land, I'd make that subnet locally and use it as the source of the vpn connection. Then you can put hosts on that network and/or use 172.17.123.40 as the gateway to nat through. So even though you are doing a /29 bridge, really you push everything as a /32
Not sure how to do that with draytek...
the googles tell me your /29 is 172.17.123.40 - 172.17.123.47
so that is what you have to choose as your local network to bridge.
In sonicwall land, I'd make that subnet locally and use it as the source of the vpn connection. Then you can put hosts on that network and/or use 172.17.123.40 as the gateway to nat through. So even though you are doing a /29 bridge, really you push everything as a /32
Not sure how to do that with draytek...
ASKER
apparently, draytek are not sure about this either.
Some helpful draytek VPN links:
http://www.alexstanhope.com/blog/technology/231/getting-draytek-lan-lan-vpn-setup
http://forum.vigortek.net/viewtopic.php?f=5&t=185
http://www.alexstanhope.com/blog/technology/231/getting-draytek-lan-lan-vpn-setup
http://forum.vigortek.net/viewtopic.php?f=5&t=185
ASKER
been already though that mate. The setup is quite complicated as compared to the link.I have set up those with my eyes closed :)
I'm running out of helpful things to say here. You know what your doing with draytek, I could maybe do what they want with sonicwall, but I completely side with you that it is a really weird request. Any chance they can just change their end for a /32 termination and you all can move forward with the rest of your lives?
ASKER
right an update. The problem still has not been sorted but what I have done is used another old draytek router and gave it the 172.17.123.40/29 range and it is connected to the 192.168.0.0/24 network.
The issue was that when we were dialling out it was seeing the 192.168.0.0/24 network but now it is seeing the right network.
the error in question because of which a connection can't be made is lifedur is set to 0secs as per the IT guy in spain.
i cannot see anywhere on draytek to set lifeduration apart from phase1/2 which is already 3600secs.
The issue was that when we were dialling out it was seeing the 192.168.0.0/24 network but now it is seeing the right network.
the error in question because of which a connection can't be made is lifedur is set to 0secs as per the IT guy in spain.
i cannot see anywhere on draytek to set lifeduration apart from phase1/2 which is already 3600secs.
Nice workaround with the second router!
The only lifetime I know of are the phase 1/2 times...and I've never set those to 0.
The only lifetime I know of are the phase 1/2 times...and I've never set those to 0.
ASKER
i thought the same. i cannot see any other lifetime values. we are having a conference call with them next week so will post over here
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good find. Sometimes it really is a change on their side and there isn't anything you can do about it.
ASKER
because I did it myself
Phase1
exchange: Main Mode (this is my default)
DH group: Group 2 (this is the g2)
Encryption: AES-256 (there is also 128 and 192, guessing 256 since phase2 is 256)
Authentication:SHA1
Lifetime: 28800 (default)
for phase2:
Protocol: ESP (my default)
Encryption: AES-256 (exactly what they said)
Authentication: SHA1 (assuming same as phase1)
Enable PFS: false (what they said, and always my default)
Lifetime:28800 (default)