DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Draytek 2955 - L2TP vulnerability causing reboots?
- peter-h
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
08 Nov 2018 14:15 #93321
by peter-h
Replied by peter-h on topic Re: Draytek 2955 - L2TP vulnerability causing reboots?
The number of remote users is 1
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
08 Nov 2018 16:02 #93322
by hornbyp
In that case, I think I would start, by changing that Pre-Shared Key. Make it longer and more complex. I don't believe it will be quickly or easily compromised. If the crashes stop, then re-start in a week's time, you'll know I'm wrong!
Also, see if the "VPN" section of the 'Web' syslog captures anything. (I've had variable success with it...)
Replied by hornbyp on topic Re: Draytek 2955 - L2TP vulnerability causing reboots?
The number of remote users is 1peter-h wrote:
In that case, I think I would start, by changing that Pre-Shared Key. Make it longer and more complex. I don't believe it will be quickly or easily compromised. If the crashes stop, then re-start in a week's time, you'll know I'm wrong!
Also, see if the "VPN" section of the 'Web' syslog captures anything. (I've had variable success with it...)
Please Log in or Create an account to join the conversation.
- peter-h
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
08 Nov 2018 18:29 #93324
by peter-h
Replied by peter-h on topic Re: Draytek 2955 - L2TP vulnerability causing reboots?
I have been trying to set up a teleworker VPN using just IPSEC.
Of the options other than L2TP or PPTP, the 2955 offers only "IPSEC tunnel".
Is this the same as the IPSEC IKEV2 PSK in android 5 or 7?
The android config is for the IPSEC ID and the IPSEC pre-shared key. Nothing else. The Q is where in the router are these configured? There is a sort of "global" pre shared key which is used for the site-site IPSEC VPN.
Draytek are now blocking access to their Guides unless you sign up
https://www.draytek.co.uk/support/guides/vpn-setup2
and I can't click on the button accepting their terms; it is disabled.
The other VPN guides I can find e.g. this
https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/windows-10-built-in-vpn-to-vigor-router/
is all L2TP which is what is causing the router to reboot.
I found this for android
https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/3900-how-to-establish-ipsec-tunnel-with-xauth-psk/
but it doesn't work I can't really relate the router config given to the 2955's options.
It looks like Xauth is the IPSEC mode to use but I can't get that to work either.
Of the options other than L2TP or PPTP, the 2955 offers only "IPSEC tunnel".
Is this the same as the IPSEC IKEV2 PSK in android 5 or 7?
The android config is for the IPSEC ID and the IPSEC pre-shared key. Nothing else. The Q is where in the router are these configured? There is a sort of "global" pre shared key which is used for the site-site IPSEC VPN.
Draytek are now blocking access to their Guides unless you sign up
and I can't click on the button accepting their terms; it is disabled.
The other VPN guides I can find e.g. this
is all L2TP which is what is causing the router to reboot.
I found this for android
but it doesn't work
It looks like Xauth is the IPSEC mode to use but I can't get that to work either.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
08 Nov 2018 19:54 #93325
by hornbyp
I don't think the built-in Android client allows/supports that. It wants some more 'protection' on top, in the shape of L2TP or XAuth. I've been looking on the Google Play store, for a client that might work ... but it's hard to see the wood for the trees; most are clients for specific VPN companies. The FortiClient VPN app. looks promising, but having it set it all up, it does nothing . I've just uninstalled it again. There's a Cisco app, that the 2860 's SYSLOG notes with interest, is attempting to trigger an IKE V2 connection. It doesn't succeed though...
No. I'm hazy on IKEV2 .. on the grounds I have no devices that support it. It's the latest, greatest, must-have:wink:
This is back to what I was saying earlier...if you put nothing in the "IPSec ID " field, the client uses "Main Mode ", and the key is matched against the Global PSK ; and that's it, the IPSec SA is declared up and running! No wonder it thinks there should be a few more steps on top.
If you put something in the "IPSec ID ", it uses "Aggressive Mode ". On detecting this, the Vigor should (if anything like the site-to-site config), look for the Remote Dial-in user , that has "Specify Remote Node " ticked, and "or Peer ID " with a matching string. It should then compare the "IKE Pre-shared Key " for that user.
I cannot get this to work on the2860 ... and not a chance on the 2830 . [I'm basing this, on what happens with Site-to-site configuration, rather than any documentation. As an aside, there is a tick box next to "[b]Pre Shared Key[/b] " (@ the user level) ... the equivalent tick box for site-to-site has no effect at all ... it will match a PSK, even if you've told it not to. So many bugs!]
Is there any mention of XAuth on the2955 ?
Replied by hornbyp on topic Re: Draytek 2955 - L2TP vulnerability causing reboots?
I have been trying to set up a teleworker VPN using just IPSEC.peter-h wrote:
I don't think the built-in Android client allows/supports that. It wants some more 'protection' on top, in the shape of L2TP or XAuth. I've been looking on the Google Play store, for a client that might work ... but it's hard to see the wood for the trees; most are clients for specific VPN companies. The FortiClient VPN app. looks promising, but having it set it all up, it does nothing
Is this the same as the IPSEC IKEV2 PSK in android 5 or 7?
No. I'm hazy on IKEV2 .. on the grounds I have no devices that support it. It's the latest, greatest, must-have
The android config is for the IPSEC ID and the IPSEC pre-shared key. Nothing else. The Q is where in the router are these configured? There is a sort of "global" pre shared key which is used for the site-site IPSEC VPN.
This is back to what I was saying earlier...if you put nothing in the "IPSec ID
If you put something
I cannot get this to work on the
This is ancient and is PPTP or L2TP/IPSec.https://www.draytek.co.uk/support/guides/vpn-setup2
It looks like Xauth is the IPSEC mode to use but I can't get that to work either.
Is there any mention of XAuth on the
Please Log in or Create an account to join the conversation.
- peter-h
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
08 Nov 2018 20:41 #93326
by peter-h
Replied by peter-h on topic Re: Draytek 2955 - L2TP vulnerability causing reboots?
The 2955 says nothing about IKEV2 or XAUTH.
On android, both v5 and v7, I find that if I specify IKEV2 PSK it doesn't ask for the username and password. If I specify XAUTH it does.
The IPSEC Identifier is "not used".
How to map this to the router end I don't know. There is a PSK which is definitely used for the site-site VPN and which has its own "global for all IPSEC VPNs" config.
Moving to win10, which is my most important requirement, all it offers in IPSEC terms is IKEV2 (apart from L2TP, PPTP etc) and then you get username/password, nothing about a shared key. I suspect the 2955 doesn't do IKEV2. Nothing works at all.
So it looks like either PPTP or L2TP/IPSEC are the only options.
PPTP has some security concerns. I am not sure if these are real though; basically the attacker needs access to the wifi network or the ethernet cable via which you are connecting and have this during the time the connection is alive; hacking a PPTP VPN server alone just presents you the login+password which will be as hard as you make it. And the GRE protocol used requires specific support in routers etc which is often not present.
And L2TP exposes the vulnerability in the 2955 router which causes reboots.
So I might go back to PPTP. I rarely use it on public wifi.
To summarise my main requirement: is there any win10 VPN config which would work with the 2955 while avoiding L2TP?
On android, both v5 and v7, I find that if I specify IKEV2 PSK it doesn't ask for the username and password. If I specify XAUTH it does.
The IPSEC Identifier is "not used".
How to map this to the router end I don't know. There is a PSK which is definitely used for the site-site VPN and which has its own "global for all IPSEC VPNs" config.
Moving to win10, which is my most important requirement, all it offers in IPSEC terms is IKEV2 (apart from L2TP, PPTP etc) and then you get username/password, nothing about a shared key. I suspect the 2955 doesn't do IKEV2. Nothing works at all.
So it looks like either PPTP or L2TP/IPSEC are the only options.
PPTP has some security concerns. I am not sure if these are real though; basically the attacker needs access to the wifi network or the ethernet cable via which you are connecting and have this during the time the connection is alive; hacking a PPTP VPN server alone just presents you the login+password which will be as hard as you make it. And the GRE protocol used requires specific support in routers etc which is often not present.
And L2TP exposes the vulnerability in the 2955 router which causes reboots.
So I might go back to PPTP. I rarely use it on public wifi.
To summarise my main requirement: is there any win10 VPN config which would work with the 2955 while avoiding L2TP?
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
08 Nov 2018 21:32 #93327
by hornbyp
It's not obvious, but you can type stuff in that field ... and then it definitely is used ! (Have I mentioned that SYSLOG gives you an insight into this sort of thing :wink: )
Again, I've been looking at this area, with growing concern.
You can get it to use a per-VPN Pre-shared-key , by selecting "Aggressive mode " at the initiating end (Hit "Advanced " in the "IP Security Method " section, select 'Aggressive Mode ' and type 'something' into "Local ID ". At the target end, enable "Specify Remote VPN Gateway " and type that same 'something' into the "or Peer ID " field . The per-VPN PSK now goes in the [IKE Pre-Shared Key ] section - for that LAN to LAN entry ). This works for site-to-site, but not Dial-in users. I think the fact that it doesn't work for the latter is a straight-forward bug.
If you install the SmartVPN app - you also get 'raw' IPSec ... in what I think is 'transport mode'. (If anyone would like to correct me, please do!)
This guide:
https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/how-to-establish-ipsec-with-x.509-from-smart-vpn-client-to-vigor3900/
gives some clues ... enough for me to get it to work to the 2860 . (The guide shows an ancient version of SmartVPN, the radically different 3900 and uses X.509 certificates, but apart from that, is a perfect fit )
I can't remember if it uses Main mode or Aggressive mode (which influences where the key needs to go, for PSK authentication). It's possible I only tried it using a certificate.
It's quite an odd experience ... the 'connection' is instant and there's no obvious change in the local network. If you fire up the "MMC" and add the "IP Security Monitor" snap-in, you can spot the (dynamic) changes it's made to your system.
It's actually quite clever - I remember doing this manually, years ago on Windows 2000 and it took me half a day! I was doing it for a static PC, that I wanted a cross-site encrypted link to. If the local network changes (i.e. for a travelling laptop), you'd run into DNS configuration issues.
On the plus side, it is the 'pure' IPSec connection you so desire
Replied by hornbyp on topic Re: Draytek 2955 - L2TP vulnerability causing reboots?
The IPSEC Identifier is "not used".peter-h wrote:
It's not obvious, but you can type stuff in that field ... and then it definitely is used
There is a PSK which is definitely used for the site-site VPN and which has its own "global for all IPSEC VPNs) config.
Again, I've been looking at this area, with growing concern.
You can get it to use a per-VPN
Moving to win10, which is my most important requirement, all it offers in IPSEC terms is IKEV2 (apart from L2TP, PPTP etc)
If you install the SmartVPN app - you also get 'raw' IPSec ... in what I think is 'transport mode'. (If anyone would like to correct me, please do!)
This guide:
I can't remember if it uses Main mode or Aggressive mode (which influences where the key needs to go, for PSK authentication). It's possible I only tried it using a certificate.
It's quite an odd experience ... the 'connection' is instant and there's no obvious change in the local network. If you fire up the "MMC" and add the "IP Security Monitor" snap-in, you can spot the (dynamic) changes it's made to your system.
It's actually quite clever - I remember doing this manually, years ago on Windows 2000 and it took me half a day! I was doing it for a static PC, that I wanted a cross-site encrypted link to. If the local network changes (i.e. for a travelling laptop), you'd run into DNS configuration issues.
On the plus side, it is the 'pure' IPSec connection you so desire
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek