Solved

site to site VPN info required

Posted on 2014-03-26
15
586 Views
Last Modified: 2014-05-04
Hi,
 I wonder if someone can point me to the right direction.

I am tasked to setup a Lan to Lan VPN setup for a client and I have came across some niggly bits.

Here are the details:

Local Network is
   192.168.0.0/24

I need to dial out to a network where the other device is not a draytek (possibly a cisco) and the IT guys over there have provided the following info.

IKE Preshard Key = i have this
Protocol = IPSec
Security Method= High (ESP) without Authentication
IKE Phase1 = AES_SHA1_G2   <<<< is that right
IKE Phase2=AES256
PFS= Disable

Remote Network IP= 172.17.123.40/29


now when I have got most of it configured but when I go to IKE Advanced settings so that I can change IKE Phase 1 Proposal to AES_SHA1_G2, its not there. It surely doesn't work on Auto.


if I keep it on Auto >>> i am getting this in the log

NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike-02/03, no NAT detected

and when I spoke to their IT people, this is what they have said.

To achieve this, typically can be solved with source NAT, natting your real LAN to that subnet before the encryption process.


am I missing something

and when I change it to some manually select IKE phase 1 proposal then I just get this

Initiating IKE Main Mode to IP address

help needed
0
Comment
Question by:Kash
  • 8
  • 7
15 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
I don't have a draytek but I do have a sonicwall that I use to terminate other company s2s vpns all the time, here is how I would interpret their instructions (it's always fun as everyone says it different). Hope this helps
Phase1
exchange: Main Mode (this is my default)
DH group: Group 2 (this is the g2)
Encryption: AES-256 (there is also 128 and 192, guessing 256 since phase2 is 256)
Authentication:SHA1
Lifetime: 28800 (default)

for phase2:
Protocol: ESP (my default)
Encryption: AES-256 (exactly what they said)
Authentication: SHA1 (assuming same as phase1)
Enable PFS: false (what they said, and always my default)
Lifetime:28800 (default)
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
thanks for that.

I am in dialogue with draytek tech support.

the company on the other side has given us an IP subnet with further 3 subnets and they want us to encapsulate(NAT I presume) all the traffic into the allocated network.

they can see us connecting to their network but because the subnets aren't appeared to be NAT'ing, its not letting us through properly.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
That's how I have one of mine setup (sonicwall though). I chose one ip, call it 10.10.100.1, and also a /24 subnet and vlan. So anything on that subnet is automatically routed through that gateway through the VPN (which is a group of subnets on their end) and from their end, looks to be coming from that ip. With this setup I can also make a firewall rule to allow any other ip only network get through the VPN as well.
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
you may be able to guide me to the right direction.

Our customers's network is 192.168.0.0/24
they have a fixed WAN IP address from ISP.

They are wanting a Lan-Lan to a company in spain (dialing out) and they have a Cisco router.

The IT at their end has told us to encapsulate all the traffic (our external IP) in to

172.17.123.40/29 network

 they have also given us further subnets
                                      172.19.0.0/16
                                      172.20.0.0/16
                                      172.30.0.0/16

they have given us IKE Pass phrase with IKE Phase 1 and Phase 2 settings.

They can see us dialing in but because our external IP is appearing to the router, it is not letting us through.

this is what the error message they have from their logs today.

   Apr  3 08:15:32: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=THEIRIP, remote= OURCUSTOMERSIP,
    local_proxy= 172.20.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.17.123.41/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

a.      I´m seeing that instead of trying to negotiate /29, your trying with /32.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
yeah, I like /32 as it's like a normal nat router. One ip for the gateway and everything else is hidden.
the googles tell me your /29 is 172.17.123.40 - 172.17.123.47
so that is what you have to choose as your local network to bridge.
In sonicwall land, I'd make that subnet locally and use it as the source of the vpn connection. Then you can put hosts on that network and/or use 172.17.123.40 as the gateway to nat through. So even though you are doing a /29 bridge, really you push everything as a /32
Not sure how to do that with draytek...
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
apparently, draytek are not sure about this either.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 19

Author Comment

by:Kash
Comment Utility
been already though that mate. The setup is quite complicated as compared to the link.I have set up those with my eyes closed :)
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
I'm running out of helpful things to say here. You know what your doing with draytek, I could maybe do what they want with sonicwall, but I completely side with you that it is a really weird request. Any chance they can just change their end for a /32 termination and you all can move forward with the rest of your lives?
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
right an update. The problem still has not been sorted but what I have done is used another old draytek router and gave it the 172.17.123.40/29 range and it is connected to the 192.168.0.0/24 network.

The issue was that when we were dialling out it was seeing the 192.168.0.0/24 network but now it is seeing the right network.

the error in question because of which a connection can't be made is lifedur is set to 0secs as per the IT guy in spain.

i cannot see anywhere on draytek to set lifeduration apart from phase1/2 which is already 3600secs.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Nice workaround with the second router!
The only lifetime I know of are the phase 1/2 times...and I've never set those to 0.
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
i thought the same. i cannot see any other lifetime values. we are having a conference call with them next week so will post over here
0
 
LVL 19

Accepted Solution

by:
Kash earned 0 total points
Comment Utility
this has now been resolved.

It was the Phase2 SHA on Cisco side. The cisco was expecting a hash while draytek don't support hashes on phase2.

Now resolved.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
Comment Utility
Good find. Sometimes it really is a change on their side and there isn't anything you can do about it.
0
 
LVL 19

Author Closing Comment

by:Kash
Comment Utility
because I did it myself
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now