Computer Support The blog | Internet Security

Twitter Feed Popout byInfofru

The blog SEO, Copy Writing, Networking and Internet Safety & Security

eBay spam WARNING!! - watch out these ones look good...

So now we are looking at eBay scams that are interested in hacking your eBay account so that they ca

So now we are looking at eBay scams that are interested in hacking your eBay account so that they can get details or account information.

Here is a typical email - the first thing to do is notice that there is a big button with 'dispute this transaction' which is not normally present. Also notice that the email is originating from which is unusual for an eBay email:

Also notice that that if we hover over the 'Dispute this transaction' button we see the following:

So the domain name, although having the part in, is actually pointing to which is Twitters forwarding domain (Ooops, that's a bit embarrassing) which then forwards you to 

This page shows up as PayPal:

You can still see the phantom domain at the top though. This is obviously where they are interested in grabbing your PayPal details so do not.

Report this website address as false as soon as you can.

Forward the email to your ISPs spam service email support.

It should be noted that and are both being hijacked for this so beware as it will more than likely pass your anti spam filters!


Watching for new roothints and adware

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has

OK, so you have your new Computer and you are dying to get cracking on the Internet as your ISP has just made live your new broadband connection. Your computer was pre-installed and appears to have everything that you need including your bonus installation of Norton Antivirus or similar and free downloads for a year. You install your modem and are ready to go so lets go...

Antivirus Questions?

But maybe we should hold on a second. Norton Antivirus wins a lot of awards etc but then it would. It is manufactured by Symantec and they are definitely a leader in corporate antivirus technology and a good supplier to deal with on that level but they will charge you for any support as a home user and charge you to update your signature files after your trial period. A better option is to lose the installed antivirus and get AVG Free Edition from Grisoft which picks up as many viruses as any other home edition antivirus package. Grisoft's solution is available from and I would urge you to pay for the full edition if you are a business as the extra functionality is worth it. Avast Antivir are also perfectly good examples and are also free. Whatever you do, make sure you have a suitable solution before just surfing unknown pages.

You should also equip yourself with a Firewall. Surfing the internet without a firewall is leaving yourself open to attacks so at the very least make sure you have either the Microsoft XPSP2 firewall or one of these free firewalls: Kerio, Sygate, ZoneAlarm

ALSO: Keep Windows Updated! Many Windows updates are to close holes exploited by malicious programs and simply staying updated will keep a lot of infections off your system.

But what about Spy-ware?

What antispyware system should I use? Well first of all, a lot of decent antivirus solutions get spy-ware as well as ad-ware and viruses as they are all basically the same thing. They are all darn annoying and the primary reason new internet users run into trouble. Most of the anti-spy-ware solutions these days use all of the spy-ware and virus hassles to try and sell themselves - I have people calling me asking how to get spy-axe and spy-ware-killer OFF of their machines. These are not solutions being sold to enrich computer use, they are immature, trip-you-up pieces of software designed for a quick buck and some new users will be caught out. In my experience there is no anti-spy-ware solution - even the ones from Microsoft and the like - that catch most of the ad-ware and irritations that can be removed simply by going into Control Panel in Windows and removing everything you do not use or recognise.

If you are determined to use other means or have tried all of the above you can also run these on-line scans. PandaActivescan Housecall Scan although they require an Active X download which your Firewall may object to.

The following examples are all free also, and can happily coexist on the same computer:
Free Anti-Spyware: MS Antispyware AdAwareSE SpybotSD SpywareBlaster
It is important that your computer is run at minimum functionality. Windows is like a pen-knife - it can do almost anything you need it to - but if you are not hosting a website then make sure that the Web-Hosting features are uninstalled. You can do this in Control Panel under add/remove programs and then by clicking add/remove windows components on the left (Windows XP - the others are similar.) Every bit of unnecessary functionality can be used against you so try and run a tight ship. Make sure you have a reason to keep everything you see in this screen. If you don't use network printing then get rid of it. If you don't use Fax services then get rid of them. Every one you can dump frees memory and so decreases the work your computer is doing to swap out the page-file which equals more speed.

Once you have spy-ware/ad-ware or a virus infesting your system it will be taking you to an undesirable website or you will be getting pop-ups of some kind or whatever. Do not go running to the first advert you see. Your friends are the other people who have had the problem. Do a search on the Internet for a description of the symptoms and have a read of some articles that do not get money off of you for your custom. Forums and the like. There will be instructions. If you cannot get to a website other than the one to which you are unwittingly directed, go into control panel and add/remove programs, and get rid of anything with an incomplete name (I mean uninstall it by get rid of) or anything that you do not knowingly use. If you are unsure, then have a look in the documentation for the software name in question. Do not just uninstall everything you do not recognise, check the system again at each uninstall to see if the problem is cured so you know for sure which application was causing the problem.

Many viruses and the like kick-off their processes at boot up. There are many places in the Registry (a set of files that do a lot to tell Windows how it should behave) that these processes can give themselves shortcuts to start-up. If you go to the start button on your task bar and choose run and then type regedit into the box which appears, you will be presented with the registry editor. Beware!!!! The Registry is critical to Windows and if you mess about with it you can stop Windows booting up altogether so do not change anything without verifying the information from at least two sources!!! If you look at HKey_Local_Machine -> Software -> Microsoft -> Windows -> CurrentVersion -> Run and Runonce etc. you will see something like that below:


Many of the processes aggravating you or your computer are to be found here or other similar places in the Windows Registry. Note that in a lot of articles it is common to substitute HKLM for HKey_Local_Machine and that there are as many trouble causers as do-gooders so try and find a good source of information and verify it. Once you have found a source to be good more than a few times you can start to trust the information you find there.

With issues like SpyAxe where the product repeats that you have a virus, remember a few things. If the product it is asking you to install is not already installed then how can the computer know it has a virus? 

Please feel free to submit any other spy-ware problems at for us to have a look at. If you wish to try an anti-spy-ware application to help clear up your PC, have a look at the anti-spy-ware review site for a decent opinion of which one works best as we prefer companies to be inspired to make a good product rather than just hard-selling via cheap viruses and ad-ware; if they keep trying to hard-sell you things, tell us, and we will find a better link.

The TCP/IP Protocol Microsoft DNS Microsoft Active Directory FSMO Roles

Windows Server Security Practices Your Windows network is reliant on a few basic elements that allow

Windows Server Security Practices


Elements Required for Active Directory

Microsoft DNS - This is a very different animal in Windows 2000/3 compared to NT4, not because of the way it does anything but because of what it is used for. Microsoft NT4, Windows 95/8 uses WINS - the Windows Internet Naming Service (rather confusingly named) to locate each other over inter-connecting LANs. The system basically works with DHCP, the Dynamic Host Configuration Protocol which ascribes an IP Address to your Network Interface Card and supplies the Default Gateway, DNS Server and WINS server and also registers you with WINS at the same time. One WINS server then replicates with another on another LAN and then the hosts can look up your workstation on their own LAN and the communication can be successfully routed between machines. DNS was simply for looking up domains on the Internet at this stage and had a 'Reverse WINS Lookup' feature for tracking down workstations from the DNS server. Microsoft DNS on Windows 2000 has the option of being entirely dynamic. It can be configured to live in Active Directory, has built in reverse lookup and is updatable just as WINS is from the DHCP server negotiation.- better!

TCP/IP - The Transport Control Protocol / Internet Protocol. This is just moving from it's fourth to sixth incarnation at present and it is a complicated protocol. It is routable in more ways than you can wave an Ethernet cable at and with version 6 supports IPSec as standard. It is the basis of nearly all inter communication of computers today, whether we are talking about Macintosh, Netware, Linux or Windows, they are most likely using TCP/IP to speak with their cohorts. Microsoft have favoured it for some time whilst Netware moved over at version 5. Macintosh jumped on the wagon (as opposed to leading the way as they normally do) and began dropping AppleTalk with the arrival of OSX. Although TCP/IP is referred to as a single protocol it is not. It is a standard set of amalgamated systems and the resultant protocol lives in layer 3 of the standard model. As with all other communications protocols, TCP/IP is composed of layers:
The Internet Protocol (IP) - is responsible for moving packets of data from one node to another. IP forwards each packet based on a four byte destination address (the IP address). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. Each computer using the internet can do so because at some level it is using an IP address. Typically in most networks nowadays your LAN may have only one 'real' IP address at your router or firewall and your computer may use a 192.168.x.x or 10.1.x.x address. These are reserved address sets for computers in internal LANs and are assigned to no one. This is made possible by NAT and PAT which stand for Network Address Translation and Port Address Translation which is performed by your router or firewall so as to redirect any traffic your machine requested back to you.

The Transport Control Protocol (TCP)- is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. TCP makes TCP/IP a very robust system and allows different sections of the Internet to fall over and reroute data constantly and seamlessly.

Port Numbers - is a name given to packages of subroutines that provide access to TCP/IP on most systems. A socket is a combination of a port number and an IP Address and therefore uniquely identifies a network process on any individual network. There are many standardized port numbers such as 80 for HTTP and 25 for SMTP etc. A port number is basically a feature of a packet just like the routing header. It is a property that, instead of deciding where it is going, like the IP Address, it decides what it will do when it gets there and most likely whether it will be allowed to get there or not.

Microsoft Active Directory - Don't be put off by the way this is continuously described by Microsoft as all sorts of different things. The simple nuts and bolts of it are most easily described as follows. AD is a secured and replicated set of files shared around the domain or domains that allow all of the clients and servers to share and use information. For those of us familiar with the nuts and bolts of a Windows PC, it's like a replicated registry that is shared around the Domain Controllers. It sits in different files, just like the registry did, and it can be edited with a straightforward tool, just like the registry. It relies on five central roles for a forest to function. (A Forest is a collection of Domain Trees - yes I know very clever etc.) The replicated information that is shared to non DC clients is stored in the SYSVOL share on a DC and there will be a folder inside for each domain storing policies, scripts and other information. The old Netlogon share is now inside of the shared SYSVOL directory but is still shared as Netlogon for backwards compatibility. The Database of all DC only AD information is kept inside %systemroot%\SYSVOL - note that the SYSVOL folder shared to clients is inside of the first sysvol directory i.e. at %systemroot%\SYSVOL\SYSVOL. The database itself and the log files by default are kept in %systemroot%\WINDOWS\NTDS but the location can be specified when installing Active Directory to a server.

FSMO Roles - Flexible Single Master Operations (Pronounced by all the guys on the Microsoft Websites as Fuszmo.) So there you are, after all of the fuss Microsoft made about Windows 2000/3 no longer requiring a PDC or BDC it turns out that there are five different sorts of the darn things.
PDC Emulator - All Winnt fans know what this guy is bound to do. He emulated the old PDC on behalf of backwards compatibility. He also creates group policy objects and synchronizes the w32time service.
RID Master - Hands out the Global Unique Identifiers to each Domain Controller. Each object in Active Directory must have one to be indexed in the registry-like list. The RID hands out different sets to each DC for labelling all of the objects created on it.
Infrastructure Master - This guy is the Ambassador. He is monitoring everything to do with memberships of trusts and other domains. He checks that you are allowed into the country by having a good look at your passport- well you know the way things are these days.
Domain Naming Master - This ol' gal is the only central repository for child domain names. There is only one in an attempt to prevent duplicate domain names. Just as well, duplicate computer names are bad enough!
Schema Master - This fellow is responsible for changes to the Schema of Active Directory. In other words he is the man who alters the way in which data is stored inside of any types of object. If you want to add a field to the standard computer object then you've got to ask him.

OK so there we have it. It is worth remembering that Active Directory is dependant, not only on all of the FSMO bear roles but also on TCP/IP and Microsoft DNS because without either there is no transport with or from Active Directory.

So based on these observations we will start with a few pointers. When you are building or designing your new Windows Active Directory you will want to minimize network traffic and administration and to optimize ease of use. This may seem a confusing and daunting task but let us get things in perspective. Active Directory goes a long way to doing this itself and the design does not have to be completed before you begin your upgrades/installs. If it is not a huge network - i.e. less than 10 sites and 20 Domain Controllers - you are not going to notice a huge impact on how you do things anyhow, unless there are a lot of different bandwidth connections. Windows  Active Directory is based on replication and it can cause networking problems and bottlenecks when it gets itself confused and is using all of the available bandwidth, but these services can be stopped if they are bringing things to a halt whilst you work out what is going on. Active Directory does do some funny things just because of the order in which it is created so make sure you design your Upgrade path from the centre of your networks where the most bandwidth lies moving out gradually toward the more remote slower sites. But all of this is scare-mongering as much as anything else. If you are just upgrading or designing a single LAN network then the most important part is to choose the correct specification of servers and make sure you have checked with manufacturers and software designers that the upgrade paths have been tested and are supported. (This still doesn't guarantee anything so if you can, test it on a dummy example.) The worst kind of Microsoft designers are those who come to the job with all of the AD knowledge in the world but have neglected to think about where the servers will be plugged in. Try and effect a policy of security and robustness in where the servers are and how they are looked after as well as in how Windows is configured. Many server compromises are at source, remember that.

Some services work better together than others. The Domain Controllers should be DNS Servers, there is no point having a domain controller if it has no access to DNS and it forgoes the risk of losing communications during adding and removing Domain Controllers which can lead to catastrophic results. If there is a DNS server on board then you always at lease have a single copy of what is happening in the domain and it can be replicated once network communications have been restored. If there is only one DC in a site then they should be set as a Global Catalogue, a Global Catalogue keeps a copy of every object in the forest and if a site needs information on part of the forest it must be able to retrieve it without running home to momma down a slow connection. Sometimes replication must be set to copy to more remote sites when the office is out of use to retain bandwidth but replication can always be halted if a connection is beginning to feel the strain. Sites are important and define the replication characteristics of Active Directory. A site boundary should indicate where there is a connection to the main LAN over a lower bandwidth; just because you need a separate Windows site doesn't mean an separate Exchange site, Exchange is another animal when it comes to designing site boundaries.

A dedicated Domain Controller is always a good idea, a server that can deal with the FSMO roles which need not be distributed over different servers unless your domain exceeds 2000 clients. The FSMO roles are a difficult point because there are they are single entity for an entire domain. With enough changes being made to the domain the workload can become such that you will have to redistribute the roles to multiple servers, the name changing role and the schema and operations master are a good place to start. As a rule, if you are including Microsoft Exchange, the Domain Controllers should have the Active Directory Connector for Microsoft Exchange installed and it is also a good machine to have in charge of your antivirus and DHCP. WINS should be phased out once all clients and servers have been moved over to 8 or 10 and your network performance and reliability should start to increase as duplicate WINS entries and the need to replicate the WINS servers become things of the past.
Lastly always change the logon name for the Administrator account to something difficult to guess as a lot of the scripts that people run trying to compromise security rely on password lists which pre-supposes the administrator account login name.

Oi Windows 10, give me back my PC !!!!

If you are, like me, a very boring web user who doesn't go to many unknown websites or watch lots of

If you are, like me, a very boring web user who doesn't go to many unknown websites or watch lots of unsubscribed videos etc. then you might be feeling a little annoyed with the new 'compulsory real-time monitor' arrangement that Windows 10 suffers from. It is, of course, a sign that your computer hard disk drive is now performing two or three times the work for many operations compared to how it was functioning on Windows 7. Real-time scanning (as the word real-time is supposed to explain) means that every file your computer needs to open is examined in advance by a proprietary process before the system comes into contact with it. Now there are two reasons why I don't like this thinking. The first is the obvious performance problem (and whether that wastes more time, energy and money than all the viruses in the world put together is another question.) The second is that Windows 10 downloads so many updates of such unbelievable magnitude that they kill the performance of your machine and the internet and so what is the point of Windows Defender anyway? This is further compounded by the fact that Windows Update, like Windows Defender, now appears to be compulsory.

OK so let’ shave a look at all of the components and how we can disable them as Microsoft have recently started to run scheduled tasks to make sure that the most performance hungry Windows processes are restarted and re-enabled at regular intervals such as Sharepoint Sync in Microsoft Office and Defender in Windows 10.

So we will begin by using the simplest and safest way to disable the Windows Defender Components, using the registry editor.

If you press the Windows key and type 'regedit' and press enter you will be presented with the registry editor and you will need to navigate to the following area:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

This means that under HKEY_LOCAL_MACHINE you expand the folders (called keys in registry editor, even though they lok the same - they are not folders, they are completely different - )

When you find the correct key, you highlight it on the left and then right click on the right hand side, below the (Default) value and select New > DWORD (32-bit) Value 

Give the DWORD the name DisableAntiSpyWare and once it has been created, double click the DWORD and enter the value '1' and press OK so that you have the below:

Now let's try restarting Windows 10....

OK so according to the above view from the taskbar, the Windows Defender application is not running. Let's have a check under the services running by clikcing the start buton and typing services.msc

OK excellent, the service has been stopped and is now set to manual. This is going to speed us up nicely. But now how do we stop the automatic updates from hogging all of the bandwidth and disk speed?

Well there are many sites telling me to use metered connections or policies to disable this function, but the Windows update feature can be disabled by opening up the services.msc applet and disabling the service by finding it as follows:

NB This service has already been disabled but your will not have been.

Now double-click the update service and choose the start-up type:

Once it is set to disabled then click OK to confirm.

Now we are back in control of our Windows 10 PC and our Ineternet connection, RAM, Hard Disk and CPU are all our own again.

Configure Outlook not to display autodiscover certificate errors for certain domains

8. September 2016 13:06 by sirclesadmin in Domain Names, Internet, Internet Security
Close Outlook. Start Registry Editor. To do this, use one of the following procedures, as appropriat
  1. Close Microsoft Outlook first.
  2. Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows.
    • Windows 10, 8.1 & 8: Press [Windows Key + R] to open the 'Run' dialogue; type regedit and then click OK.
    • Windows 7: Click the Start button, then type regedit in the search box, and then press Enter.
  3. Locate and then highlight this subkey (yellow folder):
    HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\AutoDiscover\RedirectServers |  xx.0  is your office version (2016 is 16.0 and 2013 is 15.0 etc.)
    You can use the following registry subkey instead if you wish:
  4. Click the Edit menu, point to New, and then click String Value.
  5. Type the name of the HTTPS server to which AutoDiscover should connect without warning the user, and then click OK. To allow connection to https://*, the first String Value (REG_SZ) name would be as follows:
  6. You should not add text to the Value data field. The data column must remain empty any string values you add.
  7. To add further HTTPS servers to which AutoDiscover can connect freely to, repeat steps 4 and 5 for the appropriate URLs.
  8. You can now exit Registry Editor.

DrayTek Vigor Router Logons and Windows 10 Microsoft Edge

5. July 2016 17:37 by sirclesadmin in Hardware, Internet, Internet Security
This is just a quick not to beware so that you do not get stuck in a loop. Once a DrayTek Vigor 2830

This is just something to be beware of so that you do not get stuck in a loop.

After a DrayTek Vigor 2830 had been factory reset we still could not login - none of the passwords would work!

As we can see from the above it should be admin and admin but from Microsoft Edge on Windows 10 nothing would work.

After a few tries we did notice that the response from admin/admin was considerably slower than the other options and....

Yes, you guessed it, the Microsoft Edge browser just bounces back to the login page even when the login is correct.

We didn't try adding the router logon site to the compatibility view as an option but no doubt that would work. As it was we just used Google Chrome instead.

As an aside the Google Chrome option doesn't work on the 2830 and older certificates for SAL login so stick to Firefox or goog, old-fashioned IE for that.

RE: Domain registration ✔ - Watch out for domain renewal scams

Just as a warning to all domain owners regarding being misled by spam emails arriving at the time of

Just as a warning to all domain owners regarding being misled by spam emails arriving at the time of domain renewal....

The below emails are showing up:

Attention: Important Notice

Domain Name:


Billed To:
[your registered domain owner address]

Invoice#: e2f5-93971393
Created: 06/05/16
Expires: 06/10/16

Secure Online Payment: Scam domain registration reorder





[your domain name]

06/05/16 - 06/05/17


1 year

Attn [your registered domain owner name]

This letter is to inform you that it's time to send in your search engine registration for [your domain]

Failure to complete your search engine registration by 06/10/16 may result in the cancellation of this offer (making it difficult for your customers to locate you using search engines on the web).

Your registration includes search engine submission for [your domain] for 1 year. You are under no obligation to pay the amount stated above unless you accept this offer by . This notice is not an invoice. It is a courtesy reminder to register for search engine listing so that your customers can locate you on the web.

This Offer for [your domain] will expire on 06/10/16. Act today!

For Domain Name:
[domain name]


Click Scam domain renewal website to unsubscribe from future mailings.


These emails are allegedly from 'Domain Services ✔ although the above was from address 

As you can see from the below, there is a general air of a renewal email and when you click the link in the email above and arrive at the site below, there is no mention of what you are actually buying, again allowing you to think that you are renewing your domain. The word 'registration' is used to mean a submission to a search engine. This is of course something that is automated for to carry out and completely pointless inthe modern world of SEO and Google rankings.

The email itslef is puportedly a reply even though it is not. This is just another tactic to try and associate this company with previous delaings.

Our advice is to blacklist this email and report it as spam.



Domain Services ✔ <>


DrayTek 2860 / 2830 to Watchguard Firebox XTM 26 11.7 IPSec VPN

10. March 2016 08:02 by sirclesadmin in Internet Security, VPN
Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN Firstly let&#39;s set-up the Watchguard XTM Firebox: I

Watchguard XTM26 to DraytTek Vigor 2860 / 2830 IPSec VPN

Firstly let's set-up the Watchguard XTM Firebox:

In  this example I am going to use the software management system rather than the browser but either will suffice if you stick to the correct encryption and key properties.

Start your policy manager by logging into your Firewall and selecting Policy Manager. Then click on the Branch Office Gateways option from the menu so that you are presented with the following:

Watchguard Gateways Dialogue Box

Click the 'add' button to open the Gateways properties box to enter the details:

Watchguard Firebox new Gateway Dialog

In the above example we are using a shared key. Once entered (this must be identical to the shared key we are to enter in the DrayTek) click the 'add' button bottom right to enter the gateway endpoint:

Watchguard Firebox New Gateway Endpoints Dialog

In this example the external IP of the Watchguard is and the DrayTek is so we enter the relevant IPs and choose the external interface that we are using on the Firebox (the interface with the external IP we are entering in this box for the Firebox)

Say OK to close this dialog box

When back to the last box, click on the Phase 1 tab at the top to see the below where we configure the Phase 1 settings for our encryption:

Watchguard Firebox New Gateway Dialog 3DES Group 2

We shall tick the boxes for IKE keep alive and dead peer detection and then click 'Edit' at the bottom to edit the encryption choices:

Watchguard Firebox Phase One Transform Dialog

I am using the American Encryption Standard on an 8 hour time out but feel free to choose anything you like as long as you take note to make sure it is the same on the DrayTek.

Click OK to close the box and OK again to return us back to the Policy Manager screen

Once back to the Policy Admin screen click on the VPN menu and choose Branch Office Tunnels:

Watchguard Firebox Branch Office IPSec Tunnels Dialog

Click the 'add' button to create the IPSec tunnel:

Watchguard Firebox New Tunnel Address Dialog

Click the 'add' button to configure the tunnel:

Watchguard Tunnel Route Settings Dialog

Here we are adding the internal IPs for the local and remote domains. In this example we are using 192.168.x.x subnets and so we enter the local Firebox subnet and the remote DrayTek subnet with the /24 Class C subnet. Click OK to close.

Now choose the Phase 2 tab at the top of the last screen:

Watchguard New Tunnel Phase Two Settings Dialog

Tick the PFS (Perfect forward Secret) box and choose Group 5 as this is what we configure on the DrayTek.

In the above I have not altered the ESP-AES-SHA1 IPSec proposal as it is the one I wish to use but you may add a custom one if you choose.

Click OK to return to the other screen

Click close on the tunnel screen to return to policy manager and save the settings to the Firebox.

Now we will configure the DrayTek 2860 / 2830:

Log in to the web interface to begin:

DrayTek 2830 System Status Screen

Under the VPN section on the left, click on the LAN to LAN settings option:

DrayTek 2830 LAN to LAN VPN Screen

Click on the 1 hyperlink to open the LAN-to-LAN dialog:

DrayTek Vigor 2830 New LAN to LAN VPN

In the above I have ticked the enable box, ticked the always on box and chosen to accept NetBIOS traffic as it will be a Windows network. You will also need to click on the IKE Pre-shared key and enter the same key you entered into the Firebox. Now choose AES with authentication under IPSec and click on the 'advanced' button:

DrayTek Vigor IKE Advanced Settings

Choose the above options noting that we are matching the settings on the Firebox with an 8 hour timeout (28800 seconds) with AES 256 bit encryption VPN

DrayTek Vigor 2830 LAN VPN Advanced Settings

Choose IPSec as your tunnel type as you did on the top half of the screen and tick the 'specify remote VPN gateway' as in this case our Watchguard has a static address. We add the static address of the Watchguard WAN.

Also click the IKE pre-shared key button and enter the key again. Now enter the local and remote WAN and LAN

Once all the values have been entered you can say OK and the always on VPN should pickup immediately:

DrayTek Vigor LAN to LAN Status Up

The VPN comes up as an AES 256-bit tunnel and we can see if we ping from the Watchguard side of the VPN:

Successful VPN Ping from Watchguard

And on the system manager:

Watchguard Firebox VPN Status Up and Connected

Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN

 Buy DrayTek Vigor VPN routers here



DrayTek 3300 to Firebox 10.2 Core X VPN

4. March 2016 07:42 by sirclesadmin in Internet Security, VPN
To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you sho

To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you should be able to find your way round from these instructions. These instructions are based on using the configuration software rather than the web page as this example is an X550e system that does not support the web interface.

Firstly you will need to login to your Firebox using the username and start your policy manager.

From the VPN menu at the top, select Branch Office Gateways as below:

You will be presented with the BOVPN gateways box:

Click add and fill in your details which are discussed below:

Firstly give your gateway a name at the top of the page - I usually find that the location of the gateway is the most sensible option but for this example I am sticking to generic terms for the sake of security.

If you are using a pre-shared key then you enter it as clear test in the user pre-shared key box.

To add the gateway endpoints, click Add under the endpoints section at the bottom of the page:

in the above we can see that our local gateway is which is the local IP address of the firebox in this example. This simply refers to the internal address that you are using to access your Firebox. The external interface can remain as 'external' which is selected from the drop down list. If you are using a VPN trunk between different endpoints to offer redundancy in your VPN then you can set-up various host identities here but for now we are sticking to the simplest configuration.

Next we set the external IP of the DrayTek. The static IP address has been set as as the DrayTek 3300 we are connecting to lives on ethernet fibre and has a static IP. The identity has been left as the same as the DrayTek will automatically use it's external IP as it's identity so this keeps things simple.

Once you have entered these then press OK to return to the last page.

Once there, click on the Phase 1 Settings tab:

Above is the dialog for configuring the Phase 1 Settings. This is the first term of key exchange for your firewalls and we can see that the firebox already has various settings as a default. In this example most of these settings can be left as they and the actual important parts are the Mode and the Transform Settings at the bottom.  We can see that the mode is set to Main which is our preferred option in this example and so we will leave this be.

The Transform Settings need to be updated so select the phase1 transform and click edit.

You should see a box resembling the below:

In our example - as the DrayTek supports AES 256 Group 5  - we are going to select SHA1 as our authentication and AES 256-bit as our encryption and use an 8 hour SA life but please feel free to choose any other SA length as the above settings are too simple to guess. These settings must mirror the DrayTek though so please make a careful note of what you decide upon.

Once you have entered your chosen settings, close the tunnel dialog box, and then click OK on the remaining dialogs to return you the Policy Manager

Now select the Branch Office Tunnels item on the VPN menu:

You will see the New Tunnel Dialog:

Give your tunnel a name and associate with your gateway under the Gateway selector as above.

Click Add to choose the addresses associated with your new tunnel:

Choose your local network for the Firebox by either selecting it from the dropdown menu or by entering it manually. In this example the Firebox is on a network:

Click OK to add your subnet and leave the other settings be as the defaults will suffice for this connection.

Click the Phase 2 Settings tab on the previous screen:

In our example our system is going to use perfect forward secrets  and so PFS can remain ticked. We are going to use Diffie-Hellman Group 5 and so select that from the drop down.

The ESP-AES-SHA1 option chosen is already correct but be sure to click edit and check that you have a record of the SA time-outs as they will need to match the DrayTek. Once you are satisfied you can click OK and create your tunnel:

Click close to complete creating the tunnel.

The firebox configuration is now complete so save the settings to your firebox when you are ready. Now we will consider the DrayTek 3300:

Log into your DrayTek 3300 as below:

Under the VPN menu select IPSec and then Policy Table:

Under the new IPSec VPN make sure your VPN is set to enable or always-on depending on how you wish your VPN to behave. In this example we will select enable which will come up as soon as you need it in most cases.

Give your VPN a name and replicate the pre-shared key from the Firebox.

ESP is your security protocol so no need to change this.

NAT Traversal should be enabled. If you are connecting two Windows networks then NetBIOS can be enabled for Windows management traffic and machine location - such as computer browser service and the like - to function fully.

The WAN interface I am using is WAN1 and so this remains the same and the DrayTek local LAN settings of go into the local gateway settings. Leaving the other settings as default simply means that the DrayTek will use it's LAN and WAN settings as it's ID for the VPN which is fine in this example.

Under the remote gateway settings we add the external address of the Firebox and it's LAN address. This is the instruction to the DrayTek about encrypting traffic bound for a certain destination and what the traffic should be expecting when it arrives.

Once you have completed the above, click the advanced tab at the top of the page.

Now we configure the DrayTek phase 1 & 2 settings. On the Firebox we assigned an 8 hour AES 256-bit DH group 5 and so we complete the DrayTek in the same way as below:

Once again we choose 'main' as the mode and tick the Perfect Forward Secret box for PFS to be enabled.

Say OK and you will see that the VPN is now set.

You can monitor under  VPN IPsec Status and see the VPN comes up when you ping something on the other internal LAN:

The above shows the VPN has been picked up with the correct IP and LAN subnets ;)



DrayTek Vigor 2800 to Watchguard Firebox X550e Core VPN

4. March 2016 07:41 by sirclesadmin in Internet Security, VPN
Watchguard Firebox X550e v8.3 to Draytek VPN A DrayTek - Watchguard IPSec VPN DrayTek Vigor 2800

Watchguard Firebox X550e v8.3 to Draytek VPN

A DrayTek - Watchguard IPSec VPN

I would like to begin by dispelling a few myths about the way these two - particularly the Draytek Vigor - Firewalls behave. It is written time and time again on the SEG and Draytek websites that various unrelated pages of the configuration matter to both sets of configuration. These facts are often misleading and you can spend hours wondering if it is the name of your profile in the Draytek VPN configuration page that is causing your problem or that perhaps it is the name you have assigned to a Gateway Endpoint in the Watchguard, These configuration names are totally transparent to the other endpoint - they are after all security devices and do not give out data without a good reason - and so you should call them whatever you think is a convenient name.

Before you begin a configuration of a VPN using AES or 3DES over a distance bear in mind that the Firebox and other enterprise devices like the PIX or Checkpoint require licenses in order to use each piece of functionality and that if you do not have a license for an AES VPN then do not try and connect one as you will be wasting your time. If you are using a DryaTek 2800/2900 series then bear in mind that the AES these routers support on the latest firmware at time of writing is 128 bit and not 256 bit as is required by the Watchguard 550s and above so if you want to go the AES route, buy a DrayTek 3300 or 2950.

First let us deal with the configuration of the Draytek as it is very simple and it will allow me to make clear what actually does  make a difference in the Draytek LAN-to-LAN configuration. Firstly do not worry about the 'IPSec General Setup' page (called the VPN IKE / IPSec General Setup on the 2600 ) as this is simply for dial in users who wish to use L2TP over IPSec or are dialling in with a dynamic IP. If you are specifying the IP at each end then stick to the LAN-to-LAN configuration page.

What you will need to know:

  • External IP Address of the Firewall at each end (the Real IP Address that you can get by going to ' from each internal network

  • The internal network of each network inside of each firewall - typically 192.168.x.0/24 where the /24 indicates it is a class C network but it may not be so make sure you find out.

  • The type of Encryption - will it be encrypted? Are you using ESP with 3DES or 256 bit AES? What are the SA timeouts?

  • The Pre-Shared key if you intend to use on which is the secret code each Firewall uses to generate the encryption.

Now that we have the information we shall insert it into the necessary gaps. Go into you Vigor and go to the VPN setup page and then into a LAN-to-LAN profile that is free and give it a suitable name (I like the name of whatever is at the other end to keep things easy.)


Now in our example we will use an IPSec tunnel which can be initiated by either end and so on the type of VPN we select 'both' top right. We do not yet tick the box saying 'enable this profile' as this will stop us being able get to the other end of the VPN as the Draytek simply encrypts all data bound for the endpoint as soon as we liven the profile. After selecting IPsec we then fill in the 'Server IP/Hostname' in the Dial-out setting section   As soon as you have filled in the other endpoint IP (the external IP address of the Firebox) the 'IKE Pre-Shared KEY'  button becomes active. You should now click on this button and enter your pre-shared key. Next you need to go down the page a little to the 'IPSec Security Method'  section to choose your encryption method from AES/3DES/DES or unencrypted with SHA1 or MD5. In this example we shall use 3DES with SHA1 as there is no license for AES on my Firebox. We now click on the 'Advanced' button below to make sure of our settings.


This page is where exactly how our firewall connects is decided and so we will choose simple numbers to be sure we can match them with the Firebox. The phase 1 and 2 values must correspond to those on the Firebox exactly. In my example I am choosing a 3DES SHA1 encryption of 3600 seconds for each of the IKE phases and am leaving Perfect Forward Secrecy disabled. After saying OK to this we are taken back to the LAN-to-LAN page.

Carry on down to the 'Dial-In' setting section where will fill in the section for the Firebox calling us.

Select IPSec as your allowed dial-in type and then select your remote VPN Gateway IP. The pre-shared key button is again active and you should fill it in with your pre-shared key as before. Next choose whichever encryption your Firebox will support (3DES in my case) and then add the following at the bottom:

My WAN IP: The External IP of your firewall

Remote Gateway IP: The External IP of the Firebox

Remote Network IP: The LAN IP Address such as

Remote Network Mask: The Subnet mask of the Firebox LAN - in this case

You  can leave the RIP Direction set to both as the Firebox will not mind.

Now it is time to configure the Firebox. We will start in the Policy Manager, assuming you can get this far.

 Go to the Brach Office VPN section and click on the VPN menu and select VPN Gateways.

 Add a new gateway with the external IP address of the Draytek:

 In the above example I am using DES as phase1 (at time of writing the present firmware picks up the tunnel quicker with DES) because the settings we added to the Draytek allow either but feel free to use 3DES and SHA1 here if you like. Say OK to all these settings to get back to the Policy manager.

 Now go to the VPN menu again and select 'Branch Office Tunnels and add a new tunnel.

 Configure the new tunnel as follows:

Select the Gateway you added and then the encryption type. If you click on the button with the pencil next to the phase2_proposal.1 you can stipulate the encryption type specifically as we did on the Draytek, below are the specific settings I am using:

Click OK to get back to the previous screen and click the 'advanced' button for Phase2 advanced settings, then configure the following:


Now select OK to this and the previous screen and you are ready to add your policy rule by clicking the plus button on Policy Manager on the Branch Office VPN page. You must fill in the local LAN of the Firebox and the Remote LAN of the Draytek as 192.168.x.0/24 for a class C network or 172.16..x.0/16 for a class B etc.


Now you can say OK to all of the above and save your setup to the Firebox. You should then go back to the Draytek and add a tick to the LAN-to-LAN profile to enable it. Now try pinging any host on the internal LAN of the other network and you should see that you get a reply.