<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Why are you using l2tp and not just plain IPsec? Also why are you
using transport mode? Which Draytek are you using? I am not sure if
they support transport mode. I don't think my 2820 and 2710 do.<br>
<br>
Shouldn't right be the public IP of the Draytek or %any if the
Draytek has a dynamic IP? rightsubnet then (possibly) becomes <font
face="Segoe UI" size="2">10.111.1.0/24.<br>
<br>
Do you have the ipsec logs from libreswan<br>
<br>
Nick<br>
</font><br>
<br>
<div class="moz-cite-prefix">On 03/12/2014 16:16, Darren Share
wrote:<br>
</div>
<blockquote
cite="mid:STJDOEwyTyUwNDEqM0x7Mjc2OTQ2MDc@DARREN_TOSHIBA"
type="cite">
<style type="text/css"> P, UL, OL, DL, DIR, MENU, PRE { margin: 0 auto;}</style>
<meta name="GENERATOR" content="MSHTML 11.00.9600.17420">
<p><font face="Segoe UI" size="2">Hi there.<br>
<br>
FYI, I have also posted this on Server Fault. I am trying to
establish an ipsec VPN from a Draytek router on the edge of
our corporate network to a VPS on Digital Ocean. I've set up
the VPN on the VPS using this script - <a
moz-do-not-send="true"
href="https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn"><font
color="#0000ff">https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn</font></a>
- on an Ubuntu 14.04 machine. I believe the script downloads
and installs libreswan and prompts for a few basic
configuration questions etc. I've made a few changes to the
ipsec.conf the script creates. My problem is, I can ping from
the router to the VPS and I can see the packets arriving on
the VPS showing as coming from the private IP address of the
router, but nothing I've tried has allowed me to route packets
back down the tunnel to the router. Therefore, from the
router's pov it appears the pings are timing out.<br>
<br>
The router is connected directly to the internet on one of its
interfaces and it is configured with a local IP address of
10.111.1.1. The VPS has a single interface connected directly
to the internet.<br>
<br>
When the VPN is established this is the routing table on the
VPS:<br>
<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags MSS
Window irtt Iface<br>
default 178.62.64.1 0.0.0.0 UG 0 0
0 eth0<br>
10.111.1.1 * 255.255.255.255 UH 0 0
0 eth0<br>
178.62.64.0 * 255.255.192.0 U 0 0
0 eth0<br>
<br>
Note the second entry is created when the VPN is established.<br>
<br>
If I try to ping 10.111.1.1 I get:<br>
<br>
PING 10.111.1.1 (10.111.1.1) 56(84) bytes of data.<br>
From <public IP address - eth0> icmp_seq=1 Destination
Host Unreachable<br>
<br>
Here is the output from ipsec verify:<br>
<br>
Verifying installed system and configuration files<br>
<br>
Version check and ipsec on-path [OK]<br>
Libreswan 3.10 (netkey) on 3.13.0-37-generic<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY: Testing XFRM related proc values<br>
ICMP default/send_redirects [OK]<br>
ICMP default/accept_redirects [OK]<br>
XFRM larval drop [OK]<br>
Pluto ipsec.conf syntax [OK]<br>
Hardware random device [N/A]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking rp_filter [OK]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for IKE/NAT-T on udp 4500 [OK]<br>
Pluto ipsec.secret syntax [OK]<br>
Checking 'ip' command [OK]<br>
Checking 'iptables' command [OK]<br>
Checking 'prelink' command does not interfere with
FIPSChecking for obsolete ipsec.conf options [OK]<br>
Opportunistic Encryption
[DISABLED]<br>
<br>
and here is the content of /etc/ipsec.conf (the commented out
lines are results of previous experimentation with the same
results) - essentially, nothing I change seems to make any
difference:<br>
<br>
version 2.0<br>
<br>
config setup<br>
dumpdir=/var/run/pluto/<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24<br>
oe=off<br>
protostack=netkey<br>
nhelpers=0<br>
interfaces=%defaultroute<br>
<br>
conn vpnpsk<br>
connaddrfamily=ipv4<br>
auto=add<br>
left=178.62.73.215<br>
# leftid=178.62.73.215<br>
# leftsubnet=178.62.73.215/32<br>
leftsubnet=10.10.10.0/24<br>
# leftnexthop=%defaultroute<br>
leftnexthop=%direct<br>
leftprotoport=17/1701<br>
rightprotoport=17/%any<br>
# right=%any<br>
right=10.111.1.0/24<br>
rightsourceip=10.111.1.1<br>
leftsourceip=10.10.10.1<br>
# rightsubnetwithin=0.0.0.0/0<br>
forceencaps=yes<br>
authby=secret<br>
pfs=no<br>
type=transport<br>
auth=esp<br>
ike=3des-sha1,aes-sha1<br>
phase2alg=3des-sha1,aes-sha1<br>
rekey=no<br>
keyingtries=5<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
<br>
This is the relevant part of the routing table from the
router:<br>
<br>
Key: C - connected, S - static, R - RIP, * - default, ~ -
private<br>
* 0.0.0.0/ 0.0.0.0 via <public IP
address> WAN2<br>
S~ 10.10.10.0/ 255.255.255.0 via 178.62.73.215
VPN-10<br>
C~ 10.111.1.0/ 255.255.255.0 directly connected
LAN <br>
C <public IP address>/ 255.255.255.224 directly
connected WAN2<br>
<br>
Would appreciate someone pointing out what I'm doing wrong.<br>
<br>
Many thanks.<br>
</font></p>
<br clear="all">
______________________________________________________________________<br>
This email has been scanned by the Symantec Email Security.cloud
service.<br>
For more information please visit <a
class="moz-txt-link-freetext"
href="http://www.symanteccloud.com">http://www.symanteccloud.com</a><br>
______________________________________________________________________<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</body>
</html>