Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

site to site VPN info required

Posted on 2014-03-26
15
Medium Priority
?
627 Views
Last Modified: 2014-05-04
Hi,
 I wonder if someone can point me to the right direction.

I am tasked to setup a Lan to Lan VPN setup for a client and I have came across some niggly bits.

Here are the details:

Local Network is
   192.168.0.0/24

I need to dial out to a network where the other device is not a draytek (possibly a cisco) and the IT guys over there have provided the following info.

IKE Preshard Key = i have this
Protocol = IPSec
Security Method= High (ESP) without Authentication
IKE Phase1 = AES_SHA1_G2   <<<< is that right
IKE Phase2=AES256
PFS= Disable

Remote Network IP= 172.17.123.40/29


now when I have got most of it configured but when I go to IKE Advanced settings so that I can change IKE Phase 1 Proposal to AES_SHA1_G2, its not there. It surely doesn't work on Auto.


if I keep it on Auto >>> i am getting this in the log

NAT-Traversal: Using draft-ietf-ipsec-nat-t-ike-02/03, no NAT detected

and when I spoke to their IT people, this is what they have said.

To achieve this, typically can be solved with source NAT, natting your real LAN to that subnet before the encryption process.


am I missing something

and when I change it to some manually select IKE phase 1 proposal then I just get this

Initiating IKE Main Mode to IP address

help needed
0
Comment
Question by:Kash
  • 8
  • 7
15 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39959630
I don't have a draytek but I do have a sonicwall that I use to terminate other company s2s vpns all the time, here is how I would interpret their instructions (it's always fun as everyone says it different). Hope this helps
Phase1
exchange: Main Mode (this is my default)
DH group: Group 2 (this is the g2)
Encryption: AES-256 (there is also 128 and 192, guessing 256 since phase2 is 256)
Authentication:SHA1
Lifetime: 28800 (default)

for phase2:
Protocol: ESP (my default)
Encryption: AES-256 (exactly what they said)
Authentication: SHA1 (assuming same as phase1)
Enable PFS: false (what they said, and always my default)
Lifetime:28800 (default)
0
 
LVL 19

Author Comment

by:Kash
ID: 39972335
thanks for that.

I am in dialogue with draytek tech support.

the company on the other side has given us an IP subnet with further 3 subnets and they want us to encapsulate(NAT I presume) all the traffic into the allocated network.

they can see us connecting to their network but because the subnets aren't appeared to be NAT'ing, its not letting us through properly.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39972492
That's how I have one of mine setup (sonicwall though). I chose one ip, call it 10.10.100.1, and also a /24 subnet and vlan. So anything on that subnet is automatically routed through that gateway through the VPN (which is a group of subnets on their end) and from their end, looks to be coming from that ip. With this setup I can also make a firewall rule to allow any other ip only network get through the VPN as well.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 19

Author Comment

by:Kash
ID: 39974413
you may be able to guide me to the right direction.

Our customers's network is 192.168.0.0/24
they have a fixed WAN IP address from ISP.

They are wanting a Lan-Lan to a company in spain (dialing out) and they have a Cisco router.

The IT at their end has told us to encapsulate all the traffic (our external IP) in to

172.17.123.40/29 network

 they have also given us further subnets
                                      172.19.0.0/16
                                      172.20.0.0/16
                                      172.30.0.0/16

they have given us IKE Pass phrase with IKE Phase 1 and Phase 2 settings.

They can see us dialing in but because our external IP is appearing to the router, it is not letting us through.

this is what the error message they have from their logs today.

   Apr  3 08:15:32: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=THEIRIP, remote= OURCUSTOMERSIP,
    local_proxy= 172.20.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.17.123.41/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

a.      I´m seeing that instead of trying to negotiate /29, your trying with /32.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39975870
yeah, I like /32 as it's like a normal nat router. One ip for the gateway and everything else is hidden.
the googles tell me your /29 is 172.17.123.40 - 172.17.123.47
so that is what you have to choose as your local network to bridge.
In sonicwall land, I'd make that subnet locally and use it as the source of the vpn connection. Then you can put hosts on that network and/or use 172.17.123.40 as the gateway to nat through. So even though you are doing a /29 bridge, really you push everything as a /32
Not sure how to do that with draytek...
0
 
LVL 19

Author Comment

by:Kash
ID: 39991248
apparently, draytek are not sure about this either.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39991758
0
 
LVL 19

Author Comment

by:Kash
ID: 39994002
been already though that mate. The setup is quite complicated as compared to the link.I have set up those with my eyes closed :)
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39994329
I'm running out of helpful things to say here. You know what your doing with draytek, I could maybe do what they want with sonicwall, but I completely side with you that it is a really weird request. Any chance they can just change their end for a /32 termination and you all can move forward with the rest of your lives?
0
 
LVL 19

Author Comment

by:Kash
ID: 40006200
right an update. The problem still has not been sorted but what I have done is used another old draytek router and gave it the 172.17.123.40/29 range and it is connected to the 192.168.0.0/24 network.

The issue was that when we were dialling out it was seeing the 192.168.0.0/24 network but now it is seeing the right network.

the error in question because of which a connection can't be made is lifedur is set to 0secs as per the IT guy in spain.

i cannot see anywhere on draytek to set lifeduration apart from phase1/2 which is already 3600secs.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40006965
Nice workaround with the second router!
The only lifetime I know of are the phase 1/2 times...and I've never set those to 0.
0
 
LVL 19

Author Comment

by:Kash
ID: 40024243
i thought the same. i cannot see any other lifetime values. we are having a conference call with them next week so will post over here
0
 
LVL 19

Accepted Solution

by:
Kash earned 0 total points
ID: 40029756
this has now been resolved.

It was the Phase2 SHA on Cisco side. The cisco was expecting a hash while draytek don't support hashes on phase2.

Now resolved.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40029845
Good find. Sometimes it really is a change on their side and there isn't anything you can do about it.
0
 
LVL 19

Author Closing Comment

by:Kash
ID: 40040158
because I did it myself
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question