<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
...... left/rightprotoport are generally for l2tp (but can have
other specialised uses)! L2tp is normally for roadwarrior
connections and not net-net. I know Drayteks support it so I was
wondering if you were getting mixed up. You would not be using l2tp
in Linux unless you specifically installed (or your script did).<br>
<br>
As for quick and dirty settings, I'd use AES over 3DES. In fact I
use ike=aes256-sha1;modp2048 and phase2alg=aes256-sha1 as both ends
support it. I also use pfs.<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 04/12/2014 18:49, Darren Share
wrote:<br>
</div>
<blockquote
cite="mid:66841B1D-E7E3-4166-9DDD-190686BB7577@chronos.co.uk"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div>Hi Nick</div>
<div><br>
</div>
<div>Thanks for the reply. I was originally using right=%any but
changed it in an attempt to get it to work. I've changed it to
tunnel mode and have now got it working. The biggest blocker was
the leftprotoport= and rightprotoport= settings. Removing them
actually achieved what I'm trying to do. I do have another
problem now though but before I get into that, I'm curious about
your question about l2tp. What makes you think I am using l2tp?
I didn't think I was but I don't know libreswan (or any of the
various *swans) very well and used the aforementioned script
because I needed a quick and dirty VPN setting up. </div>
<div><br>
</div>
<div>Thanks. </div>
<div><br>
</div>
<div>Darren.<br>
</div>
<div><br>
On 4 Dec 2014, at 18:25, Nick Howitt <<a
moz-do-not-send="true" href="mailto:nick@howitts.co.uk">nick@howitts.co.uk</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
Why are you using l2tp and not just plain IPsec? Also why are
you using transport mode? Which Draytek are you using? I am
not sure if they support transport mode. I don't think my 2820
and 2710 do.<br>
<br>
Shouldn't right be the public IP of the Draytek or %any if the
Draytek has a dynamic IP? rightsubnet then (possibly) becomes
<font face="Segoe UI" size="2">10.111.1.0/24.<br>
<br>
Do you have the ipsec logs from libreswan<br>
<br>
Nick<br>
</font><br>
<br>
<div class="moz-cite-prefix">On 03/12/2014 16:16, Darren Share
wrote:<br>
</div>
<blockquote
cite="mid:STJDOEwyTyUwNDEqM0x7Mjc2OTQ2MDc@DARREN_TOSHIBA"
type="cite">
<meta name="GENERATOR" content="MSHTML 11.00.9600.17420">
<p><font face="Segoe UI" size="2">Hi there.<br>
<br>
FYI, I have also posted this on Server Fault. I am
trying to establish an ipsec VPN from a Draytek router
on the edge of our corporate network to a VPS on Digital
Ocean. I've set up the VPN on the VPS using this script
- <a moz-do-not-send="true"
href="https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn"><font
color="#0000ff">https://github.com/philplckthun/setup-simple-ipsec-l2tp-vpn</font></a>
- on an Ubuntu 14.04 machine. I believe the script
downloads and installs libreswan and prompts for a few
basic configuration questions etc. I've made a few
changes to the ipsec.conf the script creates. My problem
is, I can ping from the router to the VPS and I can see
the packets arriving on the VPS showing as coming from
the private IP address of the router, but nothing I've
tried has allowed me to route packets back down the
tunnel to the router. Therefore, from the router's pov
it appears the pings are timing out.<br>
<br>
The router is connected directly to the internet on one
of its interfaces and it is configured with a local IP
address of 10.111.1.1. The VPS has a single interface
connected directly to the internet.<br>
<br>
When the VPN is established this is the routing table on
the VPS:<br>
<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags
MSS Window irtt Iface<br>
default 178.62.64.1 0.0.0.0 UG
0 0 0 eth0<br>
10.111.1.1 * 255.255.255.255 UH
0 0 0 eth0<br>
178.62.64.0 * 255.255.192.0 U
0 0 0 eth0<br>
<br>
Note the second entry is created when the VPN is
established.<br>
<br>
If I try to ping 10.111.1.1 I get:<br>
<br>
PING 10.111.1.1 (10.111.1.1) 56(84) bytes of data.<br>
From <public IP address - eth0> icmp_seq=1
Destination Host Unreachable<br>
<br>
Here is the output from ipsec verify:<br>
<br>
Verifying installed system and configuration files<br>
<br>
Version check and ipsec on-path
[OK]<br>
Libreswan 3.10 (netkey) on 3.13.0-37-generic<br>
Checking for IPsec support in kernel
[OK]<br>
NETKEY: Testing XFRM related proc values<br>
ICMP default/send_redirects
[OK]<br>
ICMP default/accept_redirects
[OK]<br>
XFRM larval drop
[OK]<br>
Pluto ipsec.conf syntax
[OK]<br>
Hardware random device
[N/A]<br>
Two or more interfaces found, checking IP forwarding
[OK]<br>
Checking rp_filter
[OK]<br>
Checking that pluto is running
[OK]<br>
Pluto listening for IKE on udp 500
[OK]<br>
Pluto listening for IKE/NAT-T on udp 4500
[OK]<br>
Pluto ipsec.secret syntax
[OK]<br>
Checking 'ip' command
[OK]<br>
Checking 'iptables' command
[OK]<br>
Checking 'prelink' command does not interfere with
FIPSChecking for obsolete ipsec.conf options
[OK]<br>
Opportunistic Encryption
[DISABLED]<br>
<br>
and here is the content of /etc/ipsec.conf (the
commented out lines are results of previous
experimentation with the same results) - essentially,
nothing I change seems to make any difference:<br>
<br>
version 2.0<br>
<br>
config setup<br>
dumpdir=/var/run/pluto/<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24<br>
oe=off<br>
protostack=netkey<br>
nhelpers=0<br>
interfaces=%defaultroute<br>
<br>
conn vpnpsk<br>
connaddrfamily=ipv4<br>
auto=add<br>
left=178.62.73.215<br>
# leftid=178.62.73.215<br>
# leftsubnet=178.62.73.215/32<br>
leftsubnet=10.10.10.0/24<br>
# leftnexthop=%defaultroute<br>
leftnexthop=%direct<br>
leftprotoport=17/1701<br>
rightprotoport=17/%any<br>
# right=%any<br>
right=10.111.1.0/24<br>
rightsourceip=10.111.1.1<br>
leftsourceip=10.10.10.1<br>
# rightsubnetwithin=0.0.0.0/0<br>
forceencaps=yes<br>
authby=secret<br>
pfs=no<br>
type=transport<br>
auth=esp<br>
ike=3des-sha1,aes-sha1<br>
phase2alg=3des-sha1,aes-sha1<br>
rekey=no<br>
keyingtries=5<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
<br>
This is the relevant part of the routing table from the
router:<br>
<br>
Key: C - connected, S - static, R - RIP, * - default, ~
- private<br>
* 0.0.0.0/ 0.0.0.0 via <public IP
address> WAN2<br>
S~ 10.10.10.0/ 255.255.255.0 via 178.62.73.215
VPN-10<br>
C~ 10.111.1.0/ 255.255.255.0 directly
connected LAN <br>
C <public IP address>/ 255.255.255.224
directly connected WAN2<br>
<br>
Would appreciate someone pointing out what I'm doing
wrong.<br>
<br>
Many thanks.<br>
</font></p>
<br clear="all">
______________________________________________________________________<br>
This email has been scanned by the Symantec Email
Security.cloud service.<br>
For more information please visit <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.symanteccloud.com">http://www.symanteccloud.com</a><br>
______________________________________________________________________<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
<br clear="all">
______________________________________________________________________<br>
This email has been scanned by the Symantec Email
Security.cloud service.<br>
For more information please visit <a moz-do-not-send="true"
href="http://www.symanteccloud.com">http://www.symanteccloud.com</a><br>
______________________________________________________________________<br>
</div>
</blockquote>
<br clear="all">
______________________________________________________________________<br>
This email has been scanned by the Symantec Email Security.cloud
service.<br>
For more information please visit <a class="moz-txt-link-freetext" href="http://www.symanteccloud.com">http://www.symanteccloud.com</a><br>
______________________________________________________________________<br>
</blockquote>
<br>
</body>
</html>