site to site VPN info required

Hi,
 I wonder if someone can point me to the right direction.

I am tasked to setup a Lan to Lan VPN setup for a client and I have came across some niggly bits.

Here are the details:

Local Network is
   192.168.0.0/24

I need to dial out to a network where the other device is not a draytek (possibly a cisco) and the IT guys over there have provided the following info.

IKE Preshard Key = i have this
Protocol = IPSec
Security Method= High (ESP) without Authentication
IKE Phase1 = AES_SHA1_G2   <<<< is that right
IKE Phase2=AES256
PFS= Disable

Remote Network IP= 172.17.123.40/29


now when I have got most of it configured but when I go to IKE Advanced settings so that I can change IKE Phase 1 Proposal to AES_SHA1_G2, its not there. It surely doesn't work on Auto.


if I keep it on Auto >>> i am getting this in the log

NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike-02/03, no NAT detected

and when I spoke to their IT people, this is what they have said.

To achieve this, typically can be solved with source NAT, natting your real LAN to that subnet before the encryption process.


am I missing something

and when I change it to some manually select IKE phase 1 proposal then I just get this

Initiating IKE Main Mode to IP address

help needed
LVL 19
Kash2nd Line EngineerAsked:
Who is Participating?
 
KashConnect With a Mentor 2nd Line EngineerAuthor Commented:
this has now been resolved.

It was the Phase2 SHA on Cisco side. The cisco was expecting a hash while draytek don't support hashes on phase2.

Now resolved.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
I don't have a draytek but I do have a sonicwall that I use to terminate other company s2s vpns all the time, here is how I would interpret their instructions (it's always fun as everyone says it different). Hope this helps
Phase1
exchange: Main Mode (this is my default)
DH group: Group 2 (this is the g2)
Encryption: AES-256 (there is also 128 and 192, guessing 256 since phase2 is 256)
Authentication:SHA1
Lifetime: 28800 (default)

for phase2:
Protocol: ESP (my default)
Encryption: AES-256 (exactly what they said)
Authentication: SHA1 (assuming same as phase1)
Enable PFS: false (what they said, and always my default)
Lifetime:28800 (default)
0
 
Kash2nd Line EngineerAuthor Commented:
thanks for that.

I am in dialogue with draytek tech support.

the company on the other side has given us an IP subnet with further 3 subnets and they want us to encapsulate(NAT I presume) all the traffic into the allocated network.

they can see us connecting to their network but because the subnets aren't appeared to be NAT'ing, its not letting us through properly.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Aaron TomoskySD-WAN SimplifiedCommented:
That's how I have one of mine setup (sonicwall though). I chose one ip, call it 10.10.100.1, and also a /24 subnet and vlan. So anything on that subnet is automatically routed through that gateway through the VPN (which is a group of subnets on their end) and from their end, looks to be coming from that ip. With this setup I can also make a firewall rule to allow any other ip only network get through the VPN as well.
0
 
Kash2nd Line EngineerAuthor Commented:
you may be able to guide me to the right direction.

Our customers's network is 192.168.0.0/24
they have a fixed WAN IP address from ISP.

They are wanting a Lan-Lan to a company in spain (dialing out) and they have a Cisco router.

The IT at their end has told us to encapsulate all the traffic (our external IP) in to

172.17.123.40/29 network

 they have also given us further subnets
                                      172.19.0.0/16
                                      172.20.0.0/16
                                      172.30.0.0/16

they have given us IKE Pass phrase with IKE Phase 1 and Phase 2 settings.

They can see us dialing in but because our external IP is appearing to the router, it is not letting us through.

this is what the error message they have from their logs today.

   Apr  3 08:15:32: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=THEIRIP, remote= OURCUSTOMERSIP,
    local_proxy= 172.20.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.17.123.41/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

a.      I´m seeing that instead of trying to negotiate /29, your trying with /32.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
yeah, I like /32 as it's like a normal nat router. One ip for the gateway and everything else is hidden.
the googles tell me your /29 is 172.17.123.40 - 172.17.123.47
so that is what you have to choose as your local network to bridge.
In sonicwall land, I'd make that subnet locally and use it as the source of the vpn connection. Then you can put hosts on that network and/or use 172.17.123.40 as the gateway to nat through. So even though you are doing a /29 bridge, really you push everything as a /32
Not sure how to do that with draytek...
0
 
Kash2nd Line EngineerAuthor Commented:
apparently, draytek are not sure about this either.
0
 
Kash2nd Line EngineerAuthor Commented:
been already though that mate. The setup is quite complicated as compared to the link.I have set up those with my eyes closed :)
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
I'm running out of helpful things to say here. You know what your doing with draytek, I could maybe do what they want with sonicwall, but I completely side with you that it is a really weird request. Any chance they can just change their end for a /32 termination and you all can move forward with the rest of your lives?
0
 
Kash2nd Line EngineerAuthor Commented:
right an update. The problem still has not been sorted but what I have done is used another old draytek router and gave it the 172.17.123.40/29 range and it is connected to the 192.168.0.0/24 network.

The issue was that when we were dialling out it was seeing the 192.168.0.0/24 network but now it is seeing the right network.

the error in question because of which a connection can't be made is lifedur is set to 0secs as per the IT guy in spain.

i cannot see anywhere on draytek to set lifeduration apart from phase1/2 which is already 3600secs.
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Nice workaround with the second router!
The only lifetime I know of are the phase 1/2 times...and I've never set those to 0.
0
 
Kash2nd Line EngineerAuthor Commented:
i thought the same. i cannot see any other lifetime values. we are having a conference call with them next week so will post over here
0
 
Aaron TomoskySD-WAN SimplifiedCommented:
Good find. Sometimes it really is a change on their side and there isn't anything you can do about it.
0
 
Kash2nd Line EngineerAuthor Commented:
because I did it myself
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.