DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860 - Working IPSEC remote dial-in with linux client

More
29 Jul 2015 23:50 #83999 by rondr
2860 - Working IPSEC remote dial-in with linux client was created by rondr
Hello,
I'm working on setting up IPSEC remote dial-in (roadwarrior) with linux client. Hard to set and not at the moment finished.
But I write here what is working at the moment for me.
My router is a 2860 - FW 3.7.8.1
Below moon is the nickname for Draytek 2860 router and carol for the roadwarrior.

Draytek

User account and Authentication
x Enable this account
Allowed Dial-In Type
x IPsec Tunnel
x Specify Remote Node
Peer ID carol
Netbios Naming Packet Pass
Multicast via VPN Block
Subnet LAN 4
IKE Authentication Method
x Pre-Shared Key
IKE Pre-Shared Key : Enter your Pre-Shared Key
IPsec Security Method
High(ESP) x DES x 3DES x AES
Local ID (optional)
moon

ShrewSoft 2.2.1 (ike-qtgui)

From the quite lost guide "IPSec-VPN mit dem Shrew Soft VPN Client zu einem Vigor-Router" http://www.draytek.de/ipsec-vpn-mit-dem-shrew-soft-vpn-client-zu-einem-vigor-router.html.
Here is my shrewsoft ~/.ike/sites/wansupport file configuration:
Code:
n:version:4 n:network-ike-port:500 n:network-mtu-size:1380 n:client-addr-auto:0 n:network-natt-port:4500 n:network-natt-rate:15 n:network-frag-size:540 n:network-dpd-enable:1 n:client-banner-enable:1 n:network-notify-enable:1 n:client-wins-used:0 n:client-wins-auto:1 n:client-dns-used:0 n:client-dns-auto:0 n:client-splitdns-used:0 n:client-splitdns-auto:0 n:phase1-dhgroup:2 n:phase1-life-secs:28800 n:phase1-life-kbytes:0 n:vendor-chkpt-enable:0 n:phase2-life-secs:3600 n:phase2-life-kbytes:0 n:policy-nailed:0 n:policy-list-auto:0 n:phase1-keylen:128 n:phase2-keylen:128 b:auth-mutual-psk:(crypted preshared key have to enter properly in shrew soft gui) n:phase2-pfsgroup:-1 n:client-dns-suffix-auto:1 s:network-host:(fqdn to moon) s:client-auto-mode:pull s:client-iface:virtual s:client-ip-addr:192.168.4.20 s:client-ip-mask:255.255.255.0 s:network-natt-mode:enable s:network-frag-mode:enable s:auth-method:mutual-psk s:ident-client-type:fqdn s:ident-client-data:carol s:ident-server-type:fqdn s:ident-server-data:moon s:phase1-exchange:aggressive s:phase1-cipher:aes s:phase1-hash:sha1 s:phase2-transform:esp-aes s:phase2-hmac:sha1 s:ipcomp-transform:disabled s:policy-level:auto s:policy-list-include:192 . 168 . 4 . 0 / 255 . 255 . 255 . 0


Results:
carol $ ping 192.168.4.1 (moon) OK
carol $ ping 192.168.4.8 (an other computer on LAN4) OK

Please Log in or Create an account to join the conversation.

More
29 Jul 2015 23:51 #84000 by rondr
Replied by rondr on topic Re: 2860 - Working IPSEC remote dial-in with linux client
Part 2

Strongswan

Based on that, I tried to do the same with Stronswan (ipsec version -> Linux strongSwan U5.2.1/K4.0.9-v7+). It runs on a raspberry pi. I upgraded Strongswan from the standard distribution. But if I succeed to make it run exaclty as I want, I will try with the Raspbian Strongswan 4.5.

Here are my configuration files:
/etc/ipsec.conf
Code:
config setup # strictcrlpolicy=yes # uniqueids = no conn c02 # LEFT leftid=carol # RIGHT right=(fqdn to moon) rightsubnet=192.168.4.0/24 rightid=moon # keyexchange = ikev1 authby=psk aggressive = yes auto = start


/etc/ipsec.secrets
Code:
0.0.0.0 : PSK "(Preshared Key)"


Results:
carol $ ping 192.168.4.1 (moon) OK
carol $ ping 192.168.4.8 (an other computer on LAN4) OK

What I would like to do

I would like to have get a new IP address to the client on the VPN network given by the router.
At the moment,
Shrewsoft gives a new IP address to the client on the VPN network which is set in my example to a fixed 192.168.4.20. Every try to get an assigned address by the router failed.
Strongswan don't change the IP address, it is the local address of carol that is used. Every try to set a fixed address or get an assigned address by the router failed like
Code:
leftsourceip=192.168.4.20
 or
Code:
leftsourceip=%config


What could be wrong?
Perhaps a clue comes from the fact that only "ike config pull" works.
I try to find more. My level for VPN is week, more often I progress with try and fail.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami