A good find

Also you would need to be able to specify an IP range (or a subnet mask) because this well known hacker uses a range of IPs.

This is him



I can't tell how far he is getting, from this. Is "IKE" always IPSEC? That is used in L2TP (which I have enabled again, to see if the reboots return, and they have) and in the IPSEC site-site VPN. I could config the site-site one to accept connections only from the caller IP.

This is him hacking my home 2955, also at night as usual



I have not been able to tie up reboot times with this hacker though. The syslog messages I saw around then, which I will post next time, indicate that the router may be rebooting due to an incoming VPN call not being able to be tied up to any VPN profile.

A pity Draytek have gone silent on the post-crash memory location data I sent them. They must know what is causing this.

What is "main mode"?

Based on this
https://www.draytek.com/en/faq/faq-vpn/vpn.others/why-the-vpn-connection-cannot-be-established/
it looks like no successful key exchange is being achieved, because both incomings from those IPs result in a left pointing arrow only.. I wonder if he is hacking the site-site VPN or the L2TP VPN? Edit: it must be L2TP because the site-site VPN is set to Aggressive Mode. On the teleworker VPNs there is no setting for Main or Aggressive.

peter-h wrote: What is "main mode"?

The description here sounds reasonable ...

There's an interesting phrase on that web page :-

Cisco wrote: The first exchange between nodes establishes the basic security policy; the initiator proposes the encryption and authentication algorithms it is willing to use.

Which I assume is the reason that the latest version of the Greenbow client, will no longer connect to the 2830 (despite Draytek's example being for the 2830!)

(I recently converted my web site - such as it is - to use HTTPS. It turned out that just enabling HTTPS wasn't enough for Google Chrome to declare it 'secure'. I had to jump through all sorts of hoops rearranging the order of the cipher algorthims and deleting others. I hadn't realised that this was even possible ... I naively thought these things were all standards-based and pre-ordained. Clearly not!

As an aside, don't forget that with L2TP/IPSec, the IPSec part is established first and L2TP happens over that IPSec connection. You probably already knew that, but worth saying out loud anyway
I've not tried it, but I bet it's possible for the Vigor to match the IPSec key from one Dial-in User Profile and the L2TP credentials from another; It's definitely possible when using certificates.

I wrote: I've not tried it, but I bet it's possible for the Vigor to match the IPSec key from one Dial-in User Profile and the L2TP credentials from another; It's definitely possible when using certificates.

I'm losing my marbles :oops: ... I have tried it ... and I know it falls at the first hurdle. Aggressive mode from an Android 8.0 client with a PSK doesn't work ... that's the whole reason I was looking at the Greenbow Client :?

Android 8.0 Aggressive Mode L2TP/IPSec PSK

Code:

16:01:54 Responding to Aggressive Mode from 82.132.244.67 16:01:54 Find Phase1 proposal: SHA2_256 16:01:54 Find Phase1 proposal: SHA2_256 16:01:54 Accept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 16:01:57 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0 It repeats a few times, but proceeds no further.

How do you enable Aggressive mode on a teleworker VPN? I see no such config in the 2955. I do see that config option in the global IPSEC config...

I have just done an L2TP dial-in from Vodafone 4G (that's the IP you see below) using an android 6.0 phone (Samsung S7), and I get this

peter-h wrote: How do you enable Aggressive mode on a teleworker VPN? I see no such config in the 2955. I do see that config option in the global IPSEC config...

The choice of mode is done at the client end. The Android client (at least on my Huawei P9) uses Main Mode, unless you put 'something' in the"IPSEC Secret (Not Used)" field. (I don't understand how Main Mode works in this scenario, because all the documentation says you need a fixed IP address).

When you trigger Aggressive Mode for a site-to-site VPN, the Vigor starts matching Keys in the Site-to-Site VPN Profiles, instead of the Global Key. I would expect something similiar to apply to Dial-in users. Maybe my expectation is wrong - or maybe it's a straightforward bug ...

Does the global key do anything then? It would be weird to take note of the Main v. Aggressive mode config in the global IPSEC config, while ignoring the shared key which is entered in the same box.