sircles.net Computer Support The sircles.net blog | VPN

Twitter Feed Popout byInfofru

The sircles.net blog SEO, Copy Writing, Networking and Internet Safety & Security

DrayTek Vigor 2860 to 3900 IPSec VPN

18. May 2017 10:47 by sirclesadmin in Internet, Internet Security, VPN
DrayTek Vigor 2860 to 3900 IPSec VPN Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet

DrayTek Vigor 2860 to 3900 IPSec VPN

Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet Fibre Hub Office with DrayTek IPSec. Both offices have a static IP in this example.

Firstly we shall configure the hub Vigor 3900 endpoint. Login as normal to see the home screen:

 

 

Now go to VPN and Remote Access and choose VPN Server Wizard and select IPSec as your VPN type:

 

 

Click to select creating a new VPN profile, choose a name - I have called this one HubOffice -  and click next:

 

 

Now we are going to enter the VPN specific information to allow our satellite office to connect:

  • Tick the Enable box to enable the VPN
  • Choose the WAN port you are using for the internet connection that will carry the VPN and for which we will be using the external IP address of
  • Enter the local subnet - this is not provided automatically so enter your local subnet that the satellite office is being provided access to - this may well be the subnet you are using
  • Leave the next hop as 0.0.0.0
  • The remote host is the external WAN IP of the satellite office Vigor 2860
  • The remote host IP/subnet mask is the internal LAN subnet of the Vigor 2860 LAN
  • If there are any other subnets hung of the back of the Satellite office - if it is a hub in itself - then you can add the extra subnets here but this can often be a hinderence in getting the VPN to come up so we shall leave it blank for now.
  • Auth type is PSK for passphrase/shred secret that we will enter momentarily
  • Pre-shared key - enter a long string that you have made a note of, as it is to be entered in the 3900 router later
  • Security protocol - leave at ESP
  • We are leaving the DPD delay and timeout boxes as default

Click finish to complete the setup...

You will be asked if you wish to proceed to the VPN status page and that is what we shall do:

 

 

Now we shall proceed to configure the 2860 which has a pretty much identical interface:

 

 

This particular 2860 doesn't have the latest firmware and so we cannot use the VPN Client Wizard and so we will configure the VP manually, click VPN and Remote Access > LAN to LAN:

 

 

then select a number corresponding to the profile you wish to configure:

 

 

 

  • Fist tick the Enable box to enable the profile
  • Give the profile a name
  • Choose the WAN1 interface for the VDSL interface if that is what you are using for the VPN external WAN IP address
  • Click the pass NetBIOS box to allow ICMP traffic between the offices
  • Leave Multicast blocked
  • To the right of that leave the call direction as Both
  • Below to the left select IPSec as the VPN type
  • Below that, enter the IP address or A record host name of the hub office Vigor 3900 WAN
  • To the right, click on the IKE Pre-Shred Key button and enter the key as you entered it into the Vigor 3900:

  • Now below that enter the IPsec method as High(ESP) AES with Authentication, then click the advanced button
  • Click the option to enable PFS - perfect forward secrecy

 

 

  • Leave the other timeouts as they are and click OK
  • Tick the box Specify Remote VPN Gateway and enter the 3900 WAN IP address
  • Leave the GRE settings as blank and proceed to the bottom section 5.

 

 

  • Enter the 2860 WAN IP in the first box
  • Enter the 3900 WAN IP in the second box
  • Enter the 3900 LAN IP network address in the third box
  • Enter the 3900 LAN subnet in the fourth box
  • Enter the 2860 LAN network address in the fifth box
  • Enter the 2860 LAN subnet in the final box
  • Leave the RIP settings as they are.

Now you should be able to go to the connection status on either router and see that the connection is live and be able to ping the other office from each respectively...

 

DrayTek 2830/2830v2 VPN from Satellite Office with Dynamic IP

4. April 2017 06:54 by sirclesadmin in VPN
DrayTek 2860 - 2860 VPN In this example we are looking at setting up a router for connecting a group

DrayTek Vigor 2830v2 - 2830 VPN with Dynamic IP v4 Address

In this example we are looking at setting up a router for connecting a group of computers to a head office that may be behind another router or in a shared environment, often with a dynamic IP. In this example there is a Linksys router in front of the DrayTek at the satellite office over which we have no control. As a result we are setting the satellite office DrayTek Vigor 2860 to be a Dial-out only router and the head office Draytek 2860 to be receiving dial in only.

Firstly we log into the head office router to set up the incoming VPN settings...

This router is on an ethernet circuit at head office - the WAN2 connection of this DrayTek handles synchronous 50 MB quite happily. Let's continue to the VPN section..

So we configure the system as dial-in and the VPN type to IPSec 

we are not calling any device, only awaiting one to call us so we will leave the dial-out section unaltered with no hostname or IP address in the server box.

Now for the dial-in section. In here we must specify the details for accepting the VPN details from the satellite DrayTek:

Once again we select IPSec as the VPN type. We do not add a username or password for IPSec. We will also leave the Peer ID blank.

We also leave section 4 - the GRE section - as default.

 

 Here are the important settings for the LAN-LAN dynamic VPN - we must add our WAN IP which for the office is the routers IP on the ethernet network. You can see this on the original status page (example at the top of this post) as your routers WAN IP address.

Thre remote gateway IP stays as 0.0.0.0 as it will be changin in this case.

The remote network IP is the internal LAN subnet address - in this case a 192.168.x.0/24 address and so the subnet is 255.255.255.0 for a class C subnet.

The local network IP is the LAN subnet of the local LAN at head office. Again another 192.168.x.0/24 address - you must have configured the LAN on each router as a different range for successful routing. The local network mask is 255.255.255.0 again

Note the RIP settings are set to Tx/Rx and that we must Route to access the other side - this is important and must be set to Route not NAT

Finally we must set the Pre-Shared secret, which for a dynamic VPN we set under the IPSec general settings here:

In this example we are using AES encryption and so we have ticked only that box.

Setting the Satellite VPN DrayTek Vigor

Once again we log into the DrayTek Vigor:

We head to the VPN section and the first available LAN-LAN profile:

This time the router is set only to dial-out and we once again set the VPN type as IPSec and this time we are entering a PING to keep alive on the internal IP subnet of the remote LAN - in this cas the router LAN address. This will enable us to keep the connection live and so allow for us to remotely administer machines etc. on that remote network. We have also ticked the 'Always On' box to help ensure this.

In our case the head office router has a URL we can add to point this router at the VPN endpoint but you may be using an IP address. Either way the external address of the head-office router you are connecting to goes there. You must also click the Pre-Shared Key button and enter the same shred secret as you entered in the IPSec General section on the Head office router. There is no need to use that section on this router.

We are once again choosing AES with authentication as our VPN encryption to match the remote router. I have left the Phase1 & 2 settings as default in this example as the shared secret is your security in this example and so I have elected not to change time-outs etc.

Now we are completing the IP settings, but for the opposite end of the VPN. Now our WAN IP is unknown and so it is left as the default, but the remote gateway is the same as the IP we entered earlier or is the IP address of the receiving routers WAN. The remote network IP is the LAN subnet of the other router and the local network IP is the local subnet, with the corresponsing masks as before.

We keep the same settings for RIP direction and Routing for access.

Now we have completed all of the settings required for a dynamic to static DrayTek VPN and so we can look at the VPN connection management tab just below where we are now:

DrayTek 2830 / 2830v2 to Watchguard Firebox XTM 26 11.7 IPSec VPN

10. March 2016 08:02 by sirclesadmin in Internet Security, VPN
Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN Firstly let's set-up the Watchguard XTM Firebox: I

Watchguard XTM26 to DraytTek Vigor 2830 / 2830v2 IPSec VPN

Firstly let's set-up the Watchguard XTM Firebox:

In  this example I am going to use the software management system rather than the browser but either will suffice if you stick to the correct encryption and key properties.

Start your policy manager by logging into your Firewall and selecting Policy Manager. Then click on the Branch Office Gateways option from the menu so that you are presented with the following:

Watchguard Gateways Dialogue Box

Click the 'add' button to open the Gateways properties box to enter the details:

Watchguard Firebox new Gateway Dialog

In the above example we are using a shared key. Once entered (this must be identical to the shared key we are to enter in the DrayTek) click the 'add' button bottom right to enter the gateway endpoint:

Watchguard Firebox New Gateway Endpoints Dialog

In this example the external IP of the Watchguard is 65.65.65.65 and the DrayTek is 75.75.75.75 so we enter the relevant IPs and choose the external interface that we are using on the Firebox (the interface with the external IP we are entering in this box for the Firebox)

Say OK to close this dialog box

When back to the last box, click on the Phase 1 tab at the top to see the below where we configure the Phase 1 settings for our encryption:

Watchguard Firebox New Gateway Dialog 3DES Group 2

We shall tick the boxes for IKE keep alive and dead peer detection and then click 'Edit' at the bottom to edit the encryption choices:

Watchguard Firebox Phase One Transform Dialog

I am using the American Encryption Standard on an 8 hour time out but feel free to choose anything you like as long as you take note to make sure it is the same on the DrayTek.

Click OK to close the box and OK again to return us back to the Policy Manager screen

Once back to the Policy Admin screen click on the VPN menu and choose Branch Office Tunnels:

Watchguard Firebox Branch Office IPSec Tunnels Dialog

Click the 'add' button to create the IPSec tunnel:

Watchguard Firebox New Tunnel Address Dialog

Click the 'add' button to configure the tunnel:

Watchguard Tunnel Route Settings Dialog

Here we are adding the internal IPs for the local and remote domains. In this example we are using 192.168.x.x subnets and so we enter the local Firebox subnet and the remote DrayTek subnet with the /24 255.255.255.0 Class C subnet. Click OK to close.

Now choose the Phase 2 tab at the top of the last screen:

Watchguard New Tunnel Phase Two Settings Dialog

Tick the PFS (Perfect forward Secret) box and choose Group 5 as this is what we configure on the DrayTek.

In the above I have not altered the ESP-AES-SHA1 IPSec proposal as it is the one I wish to use but you may add a custom one if you choose.

Click OK to return to the other screen

Click close on the tunnel screen to return to policy manager and save the settings to the Firebox.

Now we will configure the DrayTek 2860 / 2830:

Log in to the web interface to begin:

DrayTek 2830 System Status Screen

Under the VPN section on the left, click on the LAN to LAN settings option:

DrayTek 2830 LAN to LAN VPN Screen

Click on the 1 hyperlink to open the LAN-to-LAN dialog:

DrayTek Vigor 2830 New LAN to LAN VPN

In the above I have ticked the enable box, ticked the always on box and chosen to accept NetBIOS traffic as it will be a Windows network. You will also need to click on the IKE Pre-shared key and enter the same key you entered into the Firebox. Now choose AES with authentication under IPSec and click on the 'advanced' button:

DrayTek Vigor IKE Advanced Settings

Choose the above options noting that we are matching the settings on the Firebox with an 8 hour timeout (28800 seconds) with AES 256 bit encryption VPN

DrayTek Vigor 2830 LAN VPN Advanced Settings

Choose IPSec as your tunnel type as you did on the top half of the screen and tick the 'specify remote VPN gateway' as in this case our Watchguard has a static address. We add the static address of the Watchguard WAN.

Also click the IKE pre-shared key button and enter the key again. Now enter the local and remote WAN and LAN

Once all the values have been entered you can say OK and the always on VPN should pickup immediately:

DrayTek Vigor LAN to LAN Status Up

The VPN comes up as an AES 256-bit tunnel and we can see if we ping from the Watchguard side of the VPN:

Successful VPN Ping from Watchguard

And on the system manager:

Watchguard Firebox VPN Status Up and Connected

Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN

 Buy DrayTek Vigor VPN routers here

 

 

DrayTek 3300 to Firebox 10.2 Core X VPN

4. March 2016 07:42 by sirclesadmin in Internet Security, VPN
To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you sho

To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you should be able to find your way round from these instructions. These instructions are based on using the configuration software rather than the web page as this example is an X550e system that does not support the web interface.

Firstly you will need to login to your Firebox using the username and start your policy manager.

From the VPN menu at the top, select Branch Office Gateways as below:

You will be presented with the BOVPN gateways box:

Click add and fill in your details which are discussed below:

Firstly give your gateway a name at the top of the page - I usually find that the location of the gateway is the most sensible option but for this example I am sticking to generic terms for the sake of security.

If you are using a pre-shared key then you enter it as clear test in the user pre-shared key box.

To add the gateway endpoints, click Add under the endpoints section at the bottom of the page:

in the above we can see that our local gateway is 10.10.10.10 which is the local IP address of the firebox in this example. This simply refers to the internal address that you are using to access your Firebox. The external interface can remain as 'external' which is selected from the drop down list. If you are using a VPN trunk between different endpoints to offer redundancy in your VPN then you can set-up various host identities here but for now we are sticking to the simplest configuration.

Next we set the external IP of the DrayTek. The static IP address has been set as 75.75.75.75 as the DrayTek 3300 we are connecting to lives on ethernet fibre and has a static IP. The identity has been left as the same as the DrayTek will automatically use it's external IP as it's identity so this keeps things simple.

Once you have entered these then press OK to return to the last page.

Once there, click on the Phase 1 Settings tab:

Above is the dialog for configuring the Phase 1 Settings. This is the first term of key exchange for your firewalls and we can see that the firebox already has various settings as a default. In this example most of these settings can be left as they and the actual important parts are the Mode and the Transform Settings at the bottom.  We can see that the mode is set to Main which is our preferred option in this example and so we will leave this be.

The Transform Settings need to be updated so select the phase1 transform and click edit.

You should see a box resembling the below:

In our example - as the DrayTek supports AES 256 Group 5  - we are going to select SHA1 as our authentication and AES 256-bit as our encryption and use an 8 hour SA life but please feel free to choose any other SA length as the above settings are too simple to guess. These settings must mirror the DrayTek though so please make a careful note of what you decide upon.

Once you have entered your chosen settings, close the tunnel dialog box, and then click OK on the remaining dialogs to return you the Policy Manager

Now select the Branch Office Tunnels item on the VPN menu:

You will see the New Tunnel Dialog:

Give your tunnel a name and associate with your gateway under the Gateway selector as above.

Click Add to choose the addresses associated with your new tunnel:

Choose your local network for the Firebox by either selecting it from the dropdown menu or by entering it manually. In this example the Firebox is on a 100.100.100.0/24 network:

Click OK to add your subnet and leave the other settings be as the defaults will suffice for this connection.

Click the Phase 2 Settings tab on the previous screen:

In our example our system is going to use perfect forward secrets  and so PFS can remain ticked. We are going to use Diffie-Hellman Group 5 and so select that from the drop down.

The ESP-AES-SHA1 option chosen is already correct but be sure to click edit and check that you have a record of the SA time-outs as they will need to match the DrayTek. Once you are satisfied you can click OK and create your tunnel:

Click close to complete creating the tunnel.

The firebox configuration is now complete so save the settings to your firebox when you are ready. Now we will consider the DrayTek 3300:

Log into your DrayTek 3300 as below:

Under the VPN menu select IPSec and then Policy Table:

Under the new IPSec VPN make sure your VPN is set to enable or always-on depending on how you wish your VPN to behave. In this example we will select enable which will come up as soon as you need it in most cases.

Give your VPN a name and replicate the pre-shared key from the Firebox.

ESP is your security protocol so no need to change this.

NAT Traversal should be enabled. If you are connecting two Windows networks then NetBIOS can be enabled for Windows management traffic and machine location - such as computer browser service and the like - to function fully.

The WAN interface I am using is WAN1 and so this remains the same and the DrayTek local LAN settings of 100.100.100.0/24 go into the local gateway settings. Leaving the other settings as default simply means that the DrayTek will use it's LAN and WAN settings as it's ID for the VPN which is fine in this example.

Under the remote gateway settings we add the external address of the Firebox and it's LAN address. This is the instruction to the DrayTek about encrypting traffic bound for a certain destination and what the traffic should be expecting when it arrives.

Once you have completed the above, click the advanced tab at the top of the page.

Now we configure the DrayTek phase 1 & 2 settings. On the Firebox we assigned an 8 hour AES 256-bit DH group 5 and so we complete the DrayTek in the same way as below:

Once again we choose 'main' as the mode and tick the Perfect Forward Secret box for PFS to be enabled.

Say OK and you will see that the VPN is now set.

You can monitor under  VPN IPsec Status and see the VPN comes up when you ping something on the other internal LAN:

The above shows the VPN has been picked up with the correct IP and LAN subnets ;)

 

 

DrayTek Vigor 2800 to Watchguard Firebox X550e Core VPN

4. March 2016 07:41 by sirclesadmin in Internet Security, VPN
Watchguard Firebox X550e v8.3 to Draytek VPN A DrayTek - Watchguard IPSec VPN DrayTek Vigor 2800

Watchguard Firebox X550e v8.3 to Draytek VPN


A DrayTek - Watchguard IPSec VPN

I would like to begin by dispelling a few myths about the way these two - particularly the Draytek Vigor - Firewalls behave. It is written time and time again on the SEG and Draytek websites that various unrelated pages of the configuration matter to both sets of configuration. These facts are often misleading and you can spend hours wondering if it is the name of your profile in the Draytek VPN configuration page that is causing your problem or that perhaps it is the name you have assigned to a Gateway Endpoint in the Watchguard, These configuration names are totally transparent to the other endpoint - they are after all security devices and do not give out data without a good reason - and so you should call them whatever you think is a convenient name.

Before you begin a configuration of a VPN using AES or 3DES over a distance bear in mind that the Firebox and other enterprise devices like the PIX or Checkpoint require licenses in order to use each piece of functionality and that if you do not have a license for an AES VPN then do not try and connect one as you will be wasting your time. If you are using a DryaTek 2800/2900 series then bear in mind that the AES these routers support on the latest firmware at time of writing is 128 bit and not 256 bit as is required by the Watchguard 550s and above so if you want to go the AES route, buy a DrayTek 3300 or 2950.

First let us deal with the configuration of the Draytek as it is very simple and it will allow me to make clear what actually does  make a difference in the Draytek LAN-to-LAN configuration. Firstly do not worry about the 'IPSec General Setup' page (called the VPN IKE / IPSec General Setup on the 2600 ) as this is simply for dial in users who wish to use L2TP over IPSec or are dialling in with a dynamic IP. If you are specifying the IP at each end then stick to the LAN-to-LAN configuration page.

What you will need to know:

  • External IP Address of the Firewall at each end (the Real IP Address that you can get by going to 'http://whatismyip.com from each internal network

  • The internal network of each network inside of each firewall - typically 192.168.x.0/24 where the /24 indicates it is a class C 255.255.255.0 network but it may not be so make sure you find out.

  • The type of Encryption - will it be encrypted? Are you using ESP with 3DES or 256 bit AES? What are the SA timeouts?

  • The Pre-Shared key if you intend to use on which is the secret code each Firewall uses to generate the encryption.

Now that we have the information we shall insert it into the necessary gaps. Go into you Vigor and go to the VPN setup page and then into a LAN-to-LAN profile that is free and give it a suitable name (I like the name of whatever is at the other end to keep things easy.)

 


Now in our example we will use an IPSec tunnel which can be initiated by either end and so on the type of VPN we select 'both' top right. We do not yet tick the box saying 'enable this profile' as this will stop us being able get to the other end of the VPN as the Draytek simply encrypts all data bound for the endpoint as soon as we liven the profile. After selecting IPsec we then fill in the 'Server IP/Hostname' in the Dial-out setting section   As soon as you have filled in the other endpoint IP (the external IP address of the Firebox) the 'IKE Pre-Shared KEY'  button becomes active. You should now click on this button and enter your pre-shared key. Next you need to go down the page a little to the 'IPSec Security Method'  section to choose your encryption method from AES/3DES/DES or unencrypted with SHA1 or MD5. In this example we shall use 3DES with SHA1 as there is no license for AES on my Firebox. We now click on the 'Advanced' button below to make sure of our settings.

 


This page is where exactly how our firewall connects is decided and so we will choose simple numbers to be sure we can match them with the Firebox. The phase 1 and 2 values must correspond to those on the Firebox exactly. In my example I am choosing a 3DES SHA1 encryption of 3600 seconds for each of the IKE phases and am leaving Perfect Forward Secrecy disabled. After saying OK to this we are taken back to the LAN-to-LAN page.

Carry on down to the 'Dial-In' setting section where will fill in the section for the Firebox calling us.


Select IPSec as your allowed dial-in type and then select your remote VPN Gateway IP. The pre-shared key button is again active and you should fill it in with your pre-shared key as before. Next choose whichever encryption your Firebox will support (3DES in my case) and then add the following at the bottom:

My WAN IP: The External IP of your firewall

Remote Gateway IP: The External IP of the Firebox

Remote Network IP: The LAN IP Address such as 192.168.6.0

Remote Network Mask: The Subnet mask of the Firebox LAN - 255.255.255.0 in this case

You  can leave the RIP Direction set to both as the Firebox will not mind.

Now it is time to configure the Firebox. We will start in the Policy Manager, assuming you can get this far.


 Go to the Brach Office VPN section and click on the VPN menu and select VPN Gateways.


 Add a new gateway with the external IP address of the Draytek:


 In the above example I am using DES as phase1 (at time of writing the present firmware picks up the tunnel quicker with DES) because the settings we added to the Draytek allow either but feel free to use 3DES and SHA1 here if you like. Say OK to all these settings to get back to the Policy manager.


 Now go to the VPN menu again and select 'Branch Office Tunnels and add a new tunnel.


 Configure the new tunnel as follows:


Select the Gateway you added and then the encryption type. If you click on the button with the pencil next to the phase2_proposal.1 you can stipulate the encryption type specifically as we did on the Draytek, below are the specific settings I am using:


Click OK to get back to the previous screen and click the 'advanced' button for Phase2 advanced settings, then configure the following:


 

Now select OK to this and the previous screen and you are ready to add your policy rule by clicking the plus button on Policy Manager on the Branch Office VPN page. You must fill in the local LAN of the Firebox and the Remote LAN of the Draytek as 192.168.x.0/24 for a class C network or 172.16..x.0/16 for a class B etc.


 

Now you can say OK to all of the above and save your setup to the Firebox. You should then go back to the Draytek and add a tick to the LAN-to-LAN profile to enable it. Now try pinging any host on the internal LAN of the other network and you should see that you get a reply.