sircles.net Computer Support The sircles.net IT support & solutions blog | VPN

Twitter Feed Popout byInfofru

The sircles.net IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN The DrayTek Vigor router range are very straightforward

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

The DrayTek Vigor router range are very straightforward routers with which to configure a VPN and only get really complicated to work on when dealing with multiple firewall rules that may conflict or override each other. The Junipers are highly configurable in a a very ordered manner, but this does mean that there are extra considerations and stages to configuration when programming a VPN.

The Juniper needs to be told to allow traffic through a VPN and also needs a tunnel and an endpoint configured and so let us deal with that first.

We are assuming that you already have access to the Juniper via the web browser and can reach the configuration screens.

Go to the Network menu and select Interfaces and List.

Now with the drop down top right, choose Tunnel IF and then click New.

Set the Zone to be Untrust (trust-vr)

Check the bubble for Unumbered as this is a route-based VPN

Choose the interface to be the internet facing interface with the IP address that you will be pointing the DrayTek Vigor VPN at.

Now click the Tunnel link at the right of the links at the top of your configuration panel.

Once again the destination will be left as 0.0.0.0 as this is a route-based VPN and the Gateway we define in a minute will determine the endpoint for the VPN.

Now we have the tunnel configured we move on to configure the VPN:

Click Autokey IKE and then New:

Rather than configure a gateway in advance we will simply create one in this page. Click the bubble to Create a Simple Gateway and enter a name for the remote gateway. Leave IKE as ver.1 and choose Static IP and enter the Vigor WAN IP or hostname.

Now enter the pre-shared key which is a code that you will enter into the Vigor or share with the admin of the remote Vigor by some secure means. The Outgoing Interface will be the Juniper physical interface on which the WAN IP address resides to which you will be pointing the Vigor VPN.

Now click Advanced:

Here we are choosing the Phase 2 encryption proposal which is simply the encryption types - AES 256-bit in this case with DH Group 14 PFS (Perfect Forward Secrecy) and 3600 seconds time-out, but feel free to simply select a standard choice and simply make a note of the one you are choosing. Is it AES or 3DES or DES? What is the time-out, is it in seconds, minutes or hours? What is the PFS DH group? All of these should be noted as the Vigor must be configured to accept them.

Now enter the local and remote IP / Netmask where the local is the LAN address and teh subnet and the remote is the LAN which resides behind the Vigor which we are going to have remote access to once the VPN is established. In this case both subnets are set at /24 meaning 255.255.255.0 Class-C subnets but you must obviously enter your own details for each network.

Set service to Any which will allow all traffic to pass between the sites via our VPN.

Tick VPN Monitor, Optimised and Rekey  and leave the destination as default whilst choosing the external interface to which you will point the Vigor as the Source Interface.

Now click Return and OK. Now move on to configure the policies. The Gateway settings below are just for reference.

Here are the configurations for the Gateway but these two pages have been configured already when we configured the VPN but they are included as reference if you need to troubleshoot your Gateway settings:

 

Now click Advanced:

Now we must configure the policies to allow traffic between the sites. Go to Policy then Policies and at the top select from Trusted to Untrusted and click New.

Give the policy a name and enter the local subnet in the source and the remote subnet in the destination address boxes.

Choose the service type as Any and click OK. There is no need to configure advanced options in this instance.

Now at the top of the policy screen, select from Untrusted to Trusted and New and configure the settings as above but with the Vigor remote LAN subnet as the source and the local Juniper subnet as the destination with the service set as Any.

This completes the Juniper set-up and we can now configure the DrayTek Vigor 2860.

 Log into the admin web page of the DrayTek and go to the VPN and Remote Access section on the right-hand side. Click on LAN to LAN and then click an empty profile so that you can begin to populate the necessary information:

Name the VPN, indicating where it is connecting your local subnet to.

Tick to enable the profile.

Choose which WAN port/interface the VPN will be established through.

We are allowing NetBIOS naming packets as this will be for a Windows computer network and we may wish to enable inter-site computer browser functioning etc.

Multicast via VPN we will leave disabled.

Set the direction to be Both so that either site can initiate the connection.

Set the VPN type to be IPSec and enter the WAN IP or hostname of the Juniper we are connecting to.

Populate the bubble for Pre-Shared Key and click the IKE Pre-Shared Key button. Here you must enter the same key you entered into the Juniper and click OK.

Below that, choose the bubble for High(ESP) and set the dropdown box to be AES with Authentication. Then click the Advanced button:

Here we are selecting Main mode as we did on the Juniper and out phase 1 proposal as AES256_SHA1_G14

Our phase two proposal is set as AES256_SHA1

Timeouts are once again 28800 seconds and 3600 seconds for phase one and two respectively and the Perfect Forward Secret (PFS) is enabled. Now click OK.

Moving down the VPN LAN to LAN page we come to the Dial-In setings:

Tick IPSec Tunnel as the VPN type and untick the others.

Tick the box to Specify Remote VPN Gateway and enter the Juniper WAN IP once more.

Tick the box for the Pre-Share Key and enter it as before by pressing the appropriate button.

Tick the AES button for the IPSec Security Method.

Leave section 4 blank here as we are not using GRE in this example.

Finally section 5 we enter the Vigor WAN IP in My WAN IP. The Juniper WAN IP in Remote Gateway IP.

The Juniper LAN subnet in Remote Network IP such as 192.168.10.0 and the subnet mask below, in this case 255.255.255.0 rather than /24.

The local network IP is the LAN subnet being the Vigor such as 192.168.11.0 and the subnet for the Vigor below.

The RIP direction is set to both and the traversal method is set to Route.

Now click OK.

Go to VPN and Remote Access and Connection Management and see if the VPN is up:

DrayTek Vigor 2830 Dynamic IP to Vigor 3900

3. July 2017 16:11 by sirclesadmin in Internet, Internet Security, VPN
DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN There are two main points to bear in mind whe

DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN

There are two main points to bear in mind when configuring the dynamic IP address connections to a static Vigor. The first is that you need to configure the IPsec shared key in two places on the static host DrayTek Vigor VPN router. Firstly under IPSec General Set-up (which is the same place as you configure the IPSec key for L2TP) and then under the VPN Profiles (or LAN to LAN if it is an older model.)

Lets configure the 3900 static IP host router first:

Go to IPSec General Setup

Enter the IPSec shared key you are going to use for your VPN, or if you are already using that shared key for other connections, look up what you are using and make a not of it as we will need to enter that shared key again shortly.

Now go to VPN Profiles and we will configure the IPSec specifics for the host static end of the VPN. To continue, click Add to open a new profile window and choose an IPSec VPN. Leave the 'For remote dial-in user' selection at disabled.

So in the above we use the wan port that the external IP being targeted by the other VPN router.

The local IP/Subnet mask is the IP range used by the internal network of the 3900 with the static external IP. In this case we are using a class C subnet of 192.168.x.0

The local next hop is left as the default to use the wan1 default gateway (in the above we are using wan1 but as stated you must use the external IP that the 2830 is pointed towards)

The remote host remains at 0.0.0.0 as the remote Vigor 2830 is on a static IP

The remote network mask is the internal IP LAN subnet of the 2830 with a dynamic WAN address - in this case we are using another 192.168.x.0 address

For the IKE phase 1 we will stick with Main Mode

The authentication type we will leave as PSK - Pre-Shared Key

The pre-shared key we entered earlier we enter again here...

The security protocol we are choosing is encrypted and so we select ESP

Now we move onto the Advanced tab:

We are sticking with the default time-outs for DrayTek Routers.

We are selecting Perfect Forward Secrecy to be enabled (PFS)

Dead peer detection can be enabled to allow for VPNs to be picked up again quickly after a brief connectivity issue.

Route/NAT mode should be: Route

Apply NAT policy should be: Disable

NetBIOS naming packets in this case I am selecting: Enable as this will allow ICMP traffic for Windows client/server communications to behave as if on the same network. 

Multicast via VPN we will leave: Disabled

RIP via VPN we will leave: Disabled to simplify getting the VPN up and running - you may wish to enable this at each end afterwards for router discovery.

Now we proceed to the Proposal Tab as we are not enabling GRE in this example:

#

Now we configure the encryption methods:

We are using AES G5 (Group 5) and AES with authentication as above and leaving the other options as accept all to bring the VPN up reliably and quickly.

To enable compatibility with the 2830 we are sticking to Group 5 but if you are using a 2860 you can use Group 14 (G14) instead as long as you match both ends.

Once all of this has been entered we can click Apply and await the router to confirm that it has accepted our VPN details...

 

Now we configure the 2830

In this example we are going to stick with using the LAN to LAN or VPN profiles tab as not all models have the VPN client and server wizard options, but either method will work as long as you get all of the encryption, LAN and endpoint data correct:

Below we have already gone to VPN>LAN to LAN and clicked on a profile number to start entering the data:

Give your profile a name and tick the box to enable it.

On this router we are using WAN 2 as it is behind another router (and yes it will still work with or without passthru as this is a dial out only configuration from the dynamic end. There is no point trying to dial back to a router you do not know the WAN IP address of.)

We are selecting the VPN type as Dial-Out only. If you wish the VPN to allow for full time connection so that you can access the remote computers then be sure to tick 'Always On' and Enable Ping to Keep Alive and use the IP address of the remote router LAN port on the other internal network (in this case the LAN port IP of the Vigor 3900.) This will basically make the VPN permanent allowing you to easily administer the computers at the dynamic WAN IP site where the 2830 is located.

Once again we are enabling the NetBIOS packets tick box.

Multicast via VPN is disabled again.

We enter the Vigor 3900 WAN IP/Host name in the server IP/Host Name box.

Click the IKE Pre-Shared and enter the same Pre-Shared key as before and click OK

Leave the dial in boxes empty as nothing can dial into a dynamic WAN router.

Do not specify the other end of the VPN as it is a dynamic IP address.

Leave the IKE authentication box as it is as there is no dial in IKE

My WAN IP should remain 0.0.0.0

The remote VPN gateway is the WAN IP of the 3900 static IP router

The remote Network IP is the subnet of the remote 3900 static IP router, in this case 192.168.x.0 and the remote network mask is a class C of 255.255.255.0 in this case which is the LAN subnet of the 3900

The Local Network IP is the LAN subnet of the router you are configuring and the subnet is once again a class C of 255.255.255.0

We are leaving RIP as disabled and Route as the method of traversal between subnets.

Now we can click OK and go to the VPN connection management page to see how our VPN is getting on:

On the 2830 the HQ VPN has come up and will stay up as we have configured 'always on' and 'ping to remote IP' meaning that when the IP changes at the 2830 WAN it will pickup and stay up allowing us to configure the remote router and PCs securely if we wish.

Now on the 3900 status we see:

Where the VPN is showing happily at the other end also proving that the VPN is encrypting data and sending and receiving successfully.

 

 

 

DrayTek Vigor 2860 to 3900 IPSec VPN

18. May 2017 10:47 by sirclesadmin in Internet, Internet Security, VPN
DrayTek Vigor 2860 to 3900 IPSec VPN Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet

DrayTek Vigor 2860 to 3900 IPSec VPN

Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet Fibre Hub Office with DrayTek IPSec. Both offices have a static IP in this example.

Firstly we shall configure the hub Vigor 3900 endpoint. Login as normal to see the home screen:

 

 

Now go to VPN and Remote Access and choose VPN Server Wizard and select IPSec as your VPN type:

 

 

Click to select creating a new VPN profile, choose a name - I have called this one HubOffice -  and click next:

 

 

Now we are going to enter the VPN specific information to allow our satellite office to connect:

  • Tick the Enable box to enable the VPN
  • Choose the WAN port you are using for the internet connection that will carry the VPN and for which we will be using the external IP address of
  • Enter the local subnet - this is not provided automatically so enter your local subnet that the satellite office is being provided access to - this may well be the subnet you are using
  • Leave the next hop as 0.0.0.0
  • The remote host is the external WAN IP of the satellite office Vigor 2860
  • The remote host IP/subnet mask is the internal LAN subnet of the Vigor 2860 LAN
  • If there are any other subnets hung of the back of the Satellite office - if it is a hub in itself - then you can add the extra subnets here but this can often be a hinderence in getting the VPN to come up so we shall leave it blank for now.
  • Auth type is PSK for passphrase/shred secret that we will enter momentarily
  • Pre-shared key - enter a long string that you have made a note of, as it is to be entered in the 3900 router later
  • Security protocol - leave at ESP
  • We are leaving the DPD delay and timeout boxes as default

Click finish to complete the setup...

You will be asked if you wish to proceed to the VPN status page and that is what we shall do:

 

 

Now we shall proceed to configure the 2860 which has a pretty much identical interface:

 

 

We won't use the VPN Client Wizard so that you can see all of the steps, we will configure the VP manually, click VPN and Remote Access > LAN to LAN:

 

 

then select a number corresponding to the profile you wish to configure:

 

 

 

  • Fist tick the Enable box to enable the profile
  • Give the profile a name
  • Choose the WAN1 interface for the VDSL interface if that is what you are using for the VPN external WAN IP address
  • Click the pass NetBIOS box to allow ICMP traffic between the offices
  • Leave Multicast blocked
  • To the right of that leave the call direction as Both
  • Below to the left select IPSec as the VPN type
  • Below that, enter the IP address or A record host name of the hub office Vigor 3900 WAN
  • To the right, click on the IKE Pre-Shred Key button and enter the key as you entered it into the Vigor 3900:

  • Now below that enter the IPsec method as High(ESP) AES with Authentication, then click the advanced button
  • Click the option to enable PFS - perfect forward secrecy

 

 

  • Leave the other timeouts as they are and click OK
  • Tick the box Specify Remote VPN Gateway and enter the 3900 WAN IP address
  • Leave the GRE settings as blank and proceed to the bottom section 5.

 

 

  • Enter the 2860 WAN IP in the first box
  • Enter the 3900 WAN IP in the second box
  • Enter the 3900 LAN IP network address in the third box
  • Enter the 3900 LAN subnet in the fourth box
  • Enter the 2860 LAN network address in the fifth box
  • Enter the 2860 LAN subnet in the final box
  • Leave the RIP settings as they are.

Now you should be able to go to the connection status on either router and see that the connection is live and be able to ping the other office from each respectively...

 

DrayTek 2830/2830v2 VPN from Satellite Office with Dynamic IP

4. April 2017 06:54 by sirclesadmin in VPN
DrayTek 2860 - 2860 VPN In this example we are looking at setting up a router for connecting a group

DrayTek Vigor 2830v2 - 2830 VPN with Dynamic IP v4 Address

In this example we are looking at setting up a router for connecting a group of computers to a head office that may be behind another router or in a shared environment, often with a dynamic IP. In this example there is a Linksys router in front of the DrayTek at the satellite office over which we have no control. As a result we are setting the satellite office DrayTek Vigor 2860 to be a Dial-out only router and the head office Draytek 2860 to be receiving dial in only.

Firstly we log into the head office router to set up the incoming VPN settings...

This router is on an ethernet circuit at head office - the WAN2 connection of this DrayTek handles synchronous 50 MB quite happily. Let's continue to the VPN section..

So we configure the system as dial-in and the VPN type to IPSec 

we are not calling any device, only awaiting one to call us so we will leave the dial-out section unaltered with no hostname or IP address in the server box.

Now for the dial-in section. In here we must specify the details for accepting the VPN details from the satellite DrayTek:

Once again we select IPSec as the VPN type. We do not add a username or password for IPSec. We will also leave the Peer ID blank.

We also leave section 4 - the GRE section - as default.

 

 Here are the important settings for the LAN-LAN dynamic VPN - we must add our WAN IP which for the office is the routers IP on the ethernet network. You can see this on the original status page (example at the top of this post) as your routers WAN IP address.

Thre remote gateway IP stays as 0.0.0.0 as it will be changin in this case.

The remote network IP is the internal LAN subnet address - in this case a 192.168.x.0/24 address and so the subnet is 255.255.255.0 for a class C subnet.

The local network IP is the LAN subnet of the local LAN at head office. Again another 192.168.x.0/24 address - you must have configured the LAN on each router as a different range for successful routing. The local network mask is 255.255.255.0 again

Note the RIP settings are set to Tx/Rx and that we must Route to access the other side - this is important and must be set to Route not NAT

Finally we must set the Pre-Shared secret, which for a dynamic VPN we set under the IPSec general settings here:

In this example we are using AES encryption and so we have ticked only that box.

Setting the Satellite VPN DrayTek Vigor

Once again we log into the DrayTek Vigor:

We head to the VPN section and the first available LAN-LAN profile:

This time the router is set only to dial-out and we once again set the VPN type as IPSec and this time we are entering a PING to keep alive on the internal IP subnet of the remote LAN - in this cas the router LAN address. This will enable us to keep the connection live and so allow for us to remotely administer machines etc. on that remote network. We have also ticked the 'Always On' box to help ensure this.

In our case the head office router has a URL we can add to point this router at the VPN endpoint but you may be using an IP address. Either way the external address of the head-office router you are connecting to goes there. You must also click the Pre-Shared Key button and enter the same shred secret as you entered in the IPSec General section on the Head office router. There is no need to use that section on this router.

We are once again choosing AES with authentication as our VPN encryption to match the remote router. I have left the Phase1 & 2 settings as default in this example as the shared secret is your security in this example and so I have elected not to change time-outs etc.

Now we are completing the IP settings, but for the opposite end of the VPN. Now our WAN IP is unknown and so it is left as the default, but the remote gateway is the same as the IP we entered earlier or is the IP address of the receiving routers WAN. The remote network IP is the LAN subnet of the other router and the local network IP is the local subnet, with the corresponsing masks as before.

We keep the same settings for RIP direction and Routing for access.

Now we have completed all of the settings required for a dynamic to static DrayTek VPN and so we can look at the VPN connection management tab just below where we are now:

Encryption and Security

8. January 2017 12:15 by sirclesadmin in Internet, Internet Security, VPN
Encryption and Security So what is a VPN and is it useful to me? What is encryption and how does it

Encryption and Security

 

So what is a VPN and is it useful to me? What is encryption and how does it work? Mystified? Well have a read on for some simple (ish) explanations of some of the more common security terms. A VPN is exactly what is being described. It is a virtually private network. In other words it is information that is sent between two parties who have a shared pre-requisite of knowledge that allows them to decode each others messages. This is referred to as a tunnel because no one on the outside of our pre-shared information can see what is within because the information is encrypted and authenticated, that is each party can be sure of the identity of the sender and that no one was able to understand or change the information since being sent.

A type of tunnelling is in evidence every time you purchase something online or log in to an account with a website such as eBay, and this is called public/private key encryption. In the case of eBay they do not know if the computer you are using is who it says it is - it has no certificate to authenticate with-. The only important thing is that your computer believes eBay are who they say they are and your computer verifies this because eBay use a certificate that is issued by a Certification Authority that Microsoft or Macintosh have verified as authentic, and so your computer trusts the certificate and encrypts the information using the private key included in it. eBay trust you because once the encrypted tunnel between you and eBay is working, they ask you for your password, which is sent as encrypted traffic using the authenticated certificate eBay supplied. This form of encryption is typically used by the Secure Sockets Layer or its successor TLS - Transport Layer Security.

In a VPN, both parties must know who the other is and this is usually achieved with a shared secret combined with a hash algorithm known as a keyed hash algorithm. A hash algorithm takes a message of any length and returns a fixed length hash which is very difficult to fake because it is very very infeasible that you could find two messages that would give the same result. The two parties add an incrementing number to transmissions so that someone trying to decode and fake messages will not be verified as they will not be including the incrementing number in subsequent messages. Once authenticated, further communication is made using symmetric ciphers which rely on encrypting information using a pre-shared secret. The disadvantages being that this means that the two parties must have previously exchanged secure information and that the secret must be constantly changed to prevent the encryption being compromised.

The main thing to bear in mind is that it is all the same. Sure there are different methods of encryption and different methods of authentication, but as long as both are ensured to a sensible level we are more or less talking about the same thing. In the main the difference between VPN and normal use of TLS or SSL communications is tied to the factor of Authentication. VPNs require valid hosts at both or all ends.

How does any of it work though? Lets take a look at Public Key Encryption. SSL and its successor TLS both use Public Key Encryption as does the new IP versions IPV6 which uses IPSEC - Internet Protocol Security to encode all traffic. I must take this opportunity now to warn you now that none of this is necessary knowledge to put a working VPN system in place so don't come back complaining it wasn't in your Microsoft exam.

I want to tell my friend Marc how many apples I have collected from the orchards where we work but I do not want Rob or his competitive friends to know so that they do not deliberately stay longer so as to collect just a few more. I therefore devise a simple coding in advance with Marc that I will give a sign when I am about to say my collected number of apples and that amount will be 'encoded.' For instance I might give a sign to Marc by climbing onto my bike and ringing the bell - a sign that can easily be mistaken by Rob and his friends as we are about to head off home anyway - and then Marc will know that the amount I say will be multiplied by five. Five in this example is sufficient because Rob and his friends will have to spend so long collecting apples to compete that they will give up virtually before they start and still have no real idea how many apples I may have collected. This amount is 'encoded' (in this example by private encryption) because both of us know my private key - that the amount is multiplied by 5 -.

So what we are in effect creating is a private key tunnel. A way of communicating securely as long as we have a secure way of exchanging our private key and we can recognise each other and our own pre-agreed method of encryption - i.e. we can successfully Authenticate and Encrypt. But what if matters were different. What if Marc and I were separated and had no secure means of exchanging our private keys. Well, a method which allows us to achieve this is a relatively simple mathematical function but it is fairly slow to encrypt. It is referred to as Public Key Encryption and was developed at GCHQ in Britain by three men called James Ellis, Clifford Cocks and Malcolm J. Williamson. James Ellis had come up with the idea of Public Key Encryption but had not conceived how to implement it. Clifford Cocks - who was also working at GCHQ - heard of the idea and was intrigued and went home and literally thought up the system in less than half an hour. Cock's system did however work with a specific value for the public exponent (see below) and in 1974 Malcolm J. Williamson proposed using a general public exponent. The system is known as the Diffie-Hellman key exchange because of one very important reason. GCHQ is the British equivalent of the NSA and is responsible for the encryption of secret messages on behalf of the MOD (Ministry of Defence) and also the decoding of any suspicious messages intercepted in the UK. The fact that this method had existed - at least in secret - since the early 1970s was not discovered until 1997 when Cocks was allowed to divulge the information relating to a technology which GCHQ had never found much use for. It was, however, of no consequence by this time as in 1976-7, Ronald Rivest, Adi Shamir and Leonard Adleman discovered and published the same system and soon a real use for the functionality would make RSA one of the most commonly-found pieces of software on the planet. It should be noted that the Military are not so interested in Public Key Cryptography, usually because a pre-shared code can be easily exchanged and the early computers at the time of invention could not perform the math.

So how does it work, how can there be a secure way of knowing that I am really talking to who they say they are and also knowing that no one else will know what we are saying? Firstly, it is not true to say that no one can know what we are saying, just that if we encrypt our messages with sufficiently large values for our formulae that the chance of knowing a single exchange before long after we have stopped talking is very slender.

The system works by the two parties choosing a prime number and a base to create a one way trap door effect. Let us go back to the orchard to see how myself and Marc can use these numbers now we are trying to communicate the totals of apples harvested that working day by email and are wary of Rob and his cohorts reading our clear-text emails. We must therefore exchange some kind of code that we will both know but that is not derivable from our exchanges.

Marc and I are going to choose prime number 11 as our prime so p=11, and our base as 3 so q=3

I am encoding my number of apples harvested for that day, and so I decide upon a secret integer to multiply again just as before and this time I choose S=9, so I encrypt the number as follows. I send Marc our base number qs mod p (q=3 so 3 to the power 9 and mod simply means the remainder left after you divide by, so 39 divided by 11 so 39=19683/11 = 1789.3636 recurring so we remove the integer to be left with 0.3636 recurring and re multiply by 11) which gives us our remainder as 4.

Marc chooses a secret integer too, M=8, and then sends me qm mod p or 38 mod 11 = 5

I compute (qm mod p)s mod p = 59 mod 11 =9

Marc computes (qs mod p)m mod p = 48 mod 11=9

We have both derived the same value because qsm and qms are equal, and bear in mind that m, s, qsm, and qms are the only values transmitted publicly, all of the other values are kept entirely private. Once this exchange has taken place we have arrived at a number (please bear in mind it only turned out to be the number Simon chose by chance and would normally be a number unknown by either party until the calculation was carried out) we can use this number to encrypt our apple harvest. As long as we use sufficiently large values for our secret and prime numbers - i.e. our prime was over 300 figures and our secret numbers for Simon and Marc over 100 figures, it would take even the most efficient algorithms known to humankind more than the lifetime of the universe to crack our system. Our new number derived from performing the above with properly large values becomes Marc and Mines Secret Shared Key and may be used to encrypt future messages.

In reality there are more factors that must be taken into account to verify Authentication so as to make sure that I am talking to Marc and not someone impersonating him, which incorporates assigned certificates and certificate authorities just as those that you use every time your browser tells you that you are entering a secure zone and the http:// at the front of the web address url you are visiting is replaced by https://. This is the most typical use of SSL or TLS - to secure web pages.

A Note on the Truth

There are other variants of encryption used with communicating across the Internet to form VPNs such as Block Ciphers like 3DES and AES/Rijndael which are very commonly used in tunnelling often in partnership with hash algorithms like SHA1 or MD5. In truth it is some or all of these security measures acting together that represents most modern VPN tunnelling systems used in equipment like the Checkpoint NG, Windows Server or Cisco PIX. 3DES is still typically the cipher even though it is 56 bit DES performed 3 times and SHA1 is used as a hash algorithm for authentication. Both of these technologies are being superseded by AES/Rijndael and SHA2.

DrayTek 2830 / 2830v2 to Watchguard Firebox XTM 26 11.7 IPSec VPN

10. March 2016 08:02 by sirclesadmin in Internet Security, VPN
Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN Firstly let's set-up the Watchguard XTM Firebox: I

Watchguard XTM26 to DraytTek Vigor 2830 / 2830v2 IPSec VPN

Firstly let's set-up the Watchguard XTM Firebox:

In  this example I am going to use the software management system rather than the browser but either will suffice if you stick to the correct encryption and key properties.

Start your policy manager by logging into your Firewall and selecting Policy Manager. Then click on the Branch Office Gateways option from the menu so that you are presented with the following:

Watchguard Gateways Dialogue Box

Click the 'add' button to open the Gateways properties box to enter the details:

Watchguard Firebox new Gateway Dialog

In the above example we are using a shared key. Once entered (this must be identical to the shared key we are to enter in the DrayTek) click the 'add' button bottom right to enter the gateway endpoint:

Watchguard Firebox New Gateway Endpoints Dialog

In this example the external IP of the Watchguard is 65.65.65.65 and the DrayTek is 75.75.75.75 so we enter the relevant IPs and choose the external interface that we are using on the Firebox (the interface with the external IP we are entering in this box for the Firebox)

Say OK to close this dialog box

When back to the last box, click on the Phase 1 tab at the top to see the below where we configure the Phase 1 settings for our encryption:

Watchguard Firebox New Gateway Dialog 3DES Group 2

We shall tick the boxes for IKE keep alive and dead peer detection and then click 'Edit' at the bottom to edit the encryption choices:

Watchguard Firebox Phase One Transform Dialog

I am using the American Encryption Standard on an 8 hour time out but feel free to choose anything you like as long as you take note to make sure it is the same on the DrayTek.

Click OK to close the box and OK again to return us back to the Policy Manager screen

Once back to the Policy Admin screen click on the VPN menu and choose Branch Office Tunnels:

Watchguard Firebox Branch Office IPSec Tunnels Dialog

Click the 'add' button to create the IPSec tunnel:

Watchguard Firebox New Tunnel Address Dialog

Click the 'add' button to configure the tunnel:

Watchguard Tunnel Route Settings Dialog

Here we are adding the internal IPs for the local and remote domains. In this example we are using 192.168.x.x subnets and so we enter the local Firebox subnet and the remote DrayTek subnet with the /24 255.255.255.0 Class C subnet. Click OK to close.

Now choose the Phase 2 tab at the top of the last screen:

Watchguard New Tunnel Phase Two Settings Dialog

Tick the PFS (Perfect forward Secret) box and choose Group 5 as this is what we configure on the DrayTek.

In the above I have not altered the ESP-AES-SHA1 IPSec proposal as it is the one I wish to use but you may add a custom one if you choose.

Click OK to return to the other screen

Click close on the tunnel screen to return to policy manager and save the settings to the Firebox.

Now we will configure the DrayTek 2860 / 2830:

Log in to the web interface to begin:

DrayTek 2830 System Status Screen

Under the VPN section on the left, click on the LAN to LAN settings option:

DrayTek 2830 LAN to LAN VPN Screen

Click on the 1 hyperlink to open the LAN-to-LAN dialog:

DrayTek Vigor 2830 New LAN to LAN VPN

In the above I have ticked the enable box, ticked the always on box and chosen to accept NetBIOS traffic as it will be a Windows network. You will also need to click on the IKE Pre-shared key and enter the same key you entered into the Firebox. Now choose AES with authentication under IPSec and click on the 'advanced' button:

DrayTek Vigor IKE Advanced Settings

Choose the above options noting that we are matching the settings on the Firebox with an 8 hour timeout (28800 seconds) with AES 256 bit encryption VPN

DrayTek Vigor 2830 LAN VPN Advanced Settings

Choose IPSec as your tunnel type as you did on the top half of the screen and tick the 'specify remote VPN gateway' as in this case our Watchguard has a static address. We add the static address of the Watchguard WAN.

Also click the IKE pre-shared key button and enter the key again. Now enter the local and remote WAN and LAN

Once all the values have been entered you can say OK and the always on VPN should pickup immediately:

DrayTek Vigor LAN to LAN Status Up

The VPN comes up as an AES 256-bit tunnel and we can see if we ping from the Watchguard side of the VPN:

Successful VPN Ping from Watchguard

And on the system manager:

Watchguard Firebox VPN Status Up and Connected

Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN

 Buy DrayTek Vigor VPN routers here

 

 

DrayTek 3300 to Watchguard Firebox 10.2 Core X VPN

4. March 2016 07:42 by sirclesadmin in Internet Security, VPN
To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you sho

DrayTek 3300 to Watchguard Firebox 10.2 Core X VPN

To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you should be able to find your way round from these instructions. These instructions are based on using the configuration software rather than the web page as this example is an X550e system that does not support the web interface.

Firstly you will need to login to your Firebox using the username and start your policy manager.

From the VPN menu at the top, select Branch Office Gateways as below:

You will be presented with the BOVPN gateways box:

Click add and fill in your details which are discussed below:

Firstly give your gateway a name at the top of the page - I usually find that the location of the gateway is the most sensible option but for this example I am sticking to generic terms for the sake of security.

If you are using a pre-shared key then you enter it as clear test in the user pre-shared key box.

To add the gateway endpoints, click Add under the endpoints section at the bottom of the page:

in the above we can see that our local gateway is 10.10.10.10 which is the local IP address of the firebox in this example. This simply refers to the internal address that you are using to access your Firebox. The external interface can remain as 'external' which is selected from the drop down list. If you are using a VPN trunk between different endpoints to offer redundancy in your VPN then you can set-up various host identities here but for now we are sticking to the simplest configuration.

Next we set the external IP of the DrayTek. The static IP address has been set as 75.75.75.75 as the DrayTek 3300 we are connecting to lives on ethernet fibre and has a static IP. The identity has been left as the same as the DrayTek will automatically use it's external IP as it's identity so this keeps things simple.

Once you have entered these then press OK to return to the last page.

Once there, click on the Phase 1 Settings tab:

Above is the dialog for configuring the Phase 1 Settings. This is the first term of key exchange for your firewalls and we can see that the firebox already has various settings as a default. In this example most of these settings can be left as they and the actual important parts are the Mode and the Transform Settings at the bottom.  We can see that the mode is set to Main which is our preferred option in this example and so we will leave this be.

The Transform Settings need to be updated so select the phase1 transform and click edit.

You should see a box resembling the below:

In our example - as the DrayTek supports AES 256 Group 5  - we are going to select SHA1 as our authentication and AES 256-bit as our encryption and use an 8 hour SA life but please feel free to choose any other SA length as the above settings are too simple to guess. These settings must mirror the DrayTek though so please make a careful note of what you decide upon.

Once you have entered your chosen settings, close the tunnel dialog box, and then click OK on the remaining dialogs to return you the Policy Manager

Now select the Branch Office Tunnels item on the VPN menu:

You will see the New Tunnel Dialog:

Give your tunnel a name and associate with your gateway under the Gateway selector as above.

Click Add to choose the addresses associated with your new tunnel:

Choose your local network for the Firebox by either selecting it from the dropdown menu or by entering it manually. In this example the Firebox is on a 100.100.100.0/24 network:

Watchguard VPN Config

Click OK to add your subnet and leave the other settings be as the defaults will suffice for this connection.

Click the Phase 2 Settings tab on the previous screen:

In our example our system is going to use perfect forward secrets  and so PFS can remain ticked. We are going to use Diffie-Hellman Group 5 and so select that from the drop down.

The ESP-AES-SHA1 option chosen is already correct but be sure to click edit and check that you have a record of the SA time-outs as they will need to match the DrayTek. Once you are satisfied you can click OK and create your tunnel:

Click close to complete creating the tunnel.

The firebox configuration is now complete so save the settings to your firebox when you are ready. Now we will consider the DrayTek 3300:

Log into your DrayTek 3300 as below:

Under the VPN menu select IPSec and then Policy Table:

Under the new IPSec VPN make sure your VPN is set to enable or always-on depending on how you wish your VPN to behave. In this example we will select enable which will come up as soon as you need it in most cases.

Give your VPN a name and replicate the pre-shared key from the Firebox.

ESP is your security protocol so no need to change this.

NAT Traversal should be enabled. If you are connecting two Windows networks then NetBIOS can be enabled for Windows management traffic and machine location - such as computer browser service and the like - to function fully.

The WAN interface I am using is WAN1 and so this remains the same and the DrayTek local LAN settings of 100.100.100.0/24 go into the local gateway settings. Leaving the other settings as default simply means that the DrayTek will use it's LAN and WAN settings as it's ID for the VPN which is fine in this example.

Under the remote gateway settings we add the external address of the Firebox and it's LAN address. This is the instruction to the DrayTek about encrypting traffic bound for a certain destination and what the traffic should be expecting when it arrives.

Once you have completed the above, click the advanced tab at the top of the page.

Now we configure the DrayTek phase 1 & 2 settings. On the Firebox we assigned an 8 hour AES 256-bit DH group 5 and so we complete the DrayTek in the same way as below:

Once again we choose 'main' as the mode and tick the Perfect Forward Secret box for PFS to be enabled.

Say OK and you will see that the VPN is now set.

You can monitor under  VPN IPsec Status and see the VPN comes up when you ping something on the other internal LAN:

The above shows the VPN has been picked up with the correct IP and LAN subnets ;)

 

 

DrayTek Vigor 2800 to Watchguard Firebox X550e Core VPN

4. March 2016 07:41 by sirclesadmin in Internet Security, VPN
Watchguard Firebox X550e v8.3 to Draytek VPN A DrayTek - Watchguard IPSec VPN DrayTek Vigor 2800

Watchguard Firebox X550e v8.3 to Draytek VPN


A DrayTek - Watchguard IPSec VPN

I would like to begin by dispelling a few myths about the way these two - particularly the Draytek Vigor - Firewalls behave. It is written time and time again on the SEG and Draytek websites that various unrelated pages of the configuration matter to both sets of configuration. These facts are often misleading and you can spend hours wondering if it is the name of your profile in the Draytek VPN configuration page that is causing your problem or that perhaps it is the name you have assigned to a Gateway Endpoint in the Watchguard, These configuration names are totally transparent to the other endpoint - they are after all security devices and do not give out data without a good reason - and so you should call them whatever you think is a convenient name.

Before you begin a configuration of a VPN using AES or 3DES over a distance bear in mind that the Firebox and other enterprise devices like the PIX or Checkpoint require licenses in order to use each piece of functionality and that if you do not have a license for an AES VPN then do not try and connect one as you will be wasting your time. If you are using a DryaTek 2800/2900 series then bear in mind that the AES these routers support on the latest firmware at time of writing is 128 bit and not 256 bit as is required by the Watchguard 550s and above so if you want to go the AES route, buy a DrayTek 3300 or 2950.

First let us deal with the configuration of the Draytek as it is very simple and it will allow me to make clear what actually does  make a difference in the Draytek LAN-to-LAN configuration. Firstly do not worry about the 'IPSec General Setup' page (called the VPN IKE / IPSec General Setup on the 2600 ) as this is simply for dial in users who wish to use L2TP over IPSec or are dialling in with a dynamic IP. If you are specifying the IP at each end then stick to the LAN-to-LAN configuration page.

What you will need to know:

  • External IP Address of the Firewall at each end (the Real IP Address that you can get by going to 'http://whatismyip.com from each internal network
  • The internal network of each network inside of each firewall - typically 192.168.x.0/24 where the /24 indicates it is a class C 255.255.255.0 network but it may not be so make sure you find out.
  • The type of Encryption - will it be encrypted? Are you using ESP with 3DES or 256 bit AES? What are the SA timeouts?
  • The Pre-Shared key if you intend to use on which is the secret code each Firewall uses to generate the encryption.

Now that we have the information we shall insert it into the necessary gaps. Go into you Vigor and go to the VPN setup page and then into a LAN-to-LAN profile that is free and give it a suitable name (I like the name of whatever is at the other end to keep things easy.)

 


Now in our example we will use an IPSec tunnel which can be initiated by either end and so on the type of VPN we select 'both' top right. We do not yet tick the box saying 'enable this profile' as this will stop us being able get to the other end of the VPN as the Draytek simply encrypts all data bound for the endpoint as soon as we liven the profile. After selecting IPsec we then fill in the 'Server IP/Hostname' in the Dial-out setting section   As soon as you have filled in the other endpoint IP (the external IP address of the Firebox) the 'IKE Pre-Shared KEY'  button becomes active. You should now click on this button and enter your pre-shared key. Next you need to go down the page a little to the 'IPSec Security Method'  section to choose your encryption method from AES/3DES/DES or unencrypted with SHA1 or MD5. In this example we shall use 3DES with SHA1 as there is no license for AES on my Firebox. We now click on the 'Advanced' button below to make sure of our settings.

 


This page is where exactly how our firewall connects is decided and so we will choose simple numbers to be sure we can match them with the Firebox. The phase 1 and 2 values must correspond to those on the Firebox exactly. In my example I am choosing a 3DES SHA1 encryption of 3600 seconds for each of the IKE phases and am leaving Perfect Forward Secrecy disabled. After saying OK to this we are taken back to the LAN-to-LAN page.

Carry on down to the 'Dial-In' setting section where will fill in the section for the Firebox calling us.


Select IPSec as your allowed dial-in type and then select your remote VPN Gateway IP. The pre-shared key button is again active and you should fill it in with your pre-shared key as before. Next choose whichever encryption your Firebox will support (3DES in my case) and then add the following at the bottom:

My WAN IP: The External IP of your firewall

Remote Gateway IP: The External IP of the Firebox

Remote Network IP: The LAN IP Address such as 192.168.6.0

Remote Network Mask: The Subnet mask of the Firebox LAN - 255.255.255.0 in this case

You  can leave the RIP Direction set to both as the Firebox will not mind.

Now it is time to configure the Firebox. We will start in the Policy Manager, assuming you can get this far.


 Go to the Brach Office VPN section and click on the VPN menu and select VPN Gateways.


 Add a new gateway with the external IP address of the Draytek:


 In the above example I am using DES as phase1 (at time of writing the present firmware picks up the tunnel quicker with DES) because the settings we added to the Draytek allow either but feel free to use 3DES and SHA1 here if you like. Say OK to all these settings to get back to the Policy manager.


 Now go to the VPN menu again and select 'Branch Office Tunnels and add a new tunnel.


 Configure the new tunnel as follows:


Select the Gateway you added and then the encryption type. If you click on the button with the pencil next to the phase2_proposal.1 you can stipulate the encryption type specifically as we did on the Draytek, below are the specific settings I am using:


Click OK to get back to the previous screen and click the 'advanced' button for Phase2 advanced settings, then configure the following:


 

Now select OK to this and the previous screen and you are ready to add your policy rule by clicking the plus button on Policy Manager on the Branch Office VPN page. You must fill in the local LAN of the Firebox and the Remote LAN of the Draytek as 192.168.x.0/24 for a class C network or 172.16..x.0/16 for a class B etc.


 

Now you can say OK to all of the above and save your setup to the Firebox. You should then go back to the Draytek and add a tick to the LAN-to-LAN profile to enable it. Now try pinging any host on the internal LAN of the other network and you should see that you get a reply.