Return to Level1Techs.com

LAN TO LAN VPN between pfsense and draytek


#1

Hi all.

Im new here and not too experienced when it comes to pfsense. What I currently want is a site to site/lan to lan VPN between a router with pfsense and a draytek I have. So far I have only been able to make a connection by dialling out of the pfsense router to the draytek, which connects but I cant send any traffic through, ping other IP’s etc. after about 20 seconds it disconnects (maybe because of some keep-alive thing but it shows that a few bytes of traffic are passing through the VPN via pfsense IPsec status). Just wondering if anyone can point me in the right direction or can send a link to a guide to follow.

many thanks from a bit of a networking noob :grinning:


#2

@Gurney from what Little information you give it isn’t very clear what your ultimate goal is? What I think you are trying to do is create a secure tunnel between two different networks. For example, I want to create a secure tunnel from house A to house B, House A is using Pfsense as it’s router House B is using a Draytek router. For some reason, the secured tunnel is collapsing on you after about 20 seconds. Without knowing what equipment you are running on your network it is very hard to help you. So I have a few questions help me and other’s figure out what is causing the secure tunnel to collapse, or not being created properly.

Question 1 How are you running Pfsense, meaning is it running on an old computer or did you install it on a virtual machine?

Question 2 What is the model number of the Draytek router so I can look up the manual for it?

Also just for future, you might want to include a diagram of the two different networks you are trying to connect to, it will give a better understanding of what you are trying to accomplish.


#3

In addition - there’s is no explanation of the tunnel you have created - and any log data from it. I am not familiar with draytek. But checking a manual as stated above to begin with is a good first chapter.

Additionally - normally a site to site tunnel can require a routing entry - but, as you have not stated the current setup, nor given enough information to help us help you…


#4

Hi
Sorry I guess I should have provided more information

here is the log of my connection from my draytek router

|2019-01-11 10:01:17| IKE_RELEASE VPN : L2L Dial-in, Profile index = 1, Name = ???, ifno = 10|
|—|---|
| 2019-01-11 10:01:17| [L2L][DOWN][IPsec][@1:???]|
| 2019-01-11 10:01:02| IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x42f8f7d5|
| 2019-01-11 10:01:02| IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x18dfd4ce|
| 2019-01-11 10:00:47| IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xaa12ecb7|
| 2019-01-11 10:00:47| IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xbfd57fc4|
| 2019-01-11 10:00:32| IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xe21afb74|
| 2019-01-11 10:00:32| IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x67909682|
| 2019-01-11 10:00:17| [L2L][UP][IPsec][@1:???]|

here is the log of the pfsense which looks useful

|Jan 11 10:11:24 |charon ||08[CFG] vici client 3450 connected|
|—|---|—|---|
|Jan 11 10:11:22 |charon ||06[CHD] <con1000|14> CHILD_SA con1000{15} state change: INSTALLED => DESTROYING|
|Jan 11 10:11:22 |charon ||06[CHD] CHILD_SA con1000{15} state change: INSTALLED => DESTROYING|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> IKE_SA con1000[14] state change: DELETING => DESTROYING|
|Jan 11 10:11:22 |charon ||06[IKE] IKE_SA con1000[14] state change: DELETING => DESTROYING|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> IKE_SA con1000[14] state change: DELETING => DELETING|
|Jan 11 10:11:22 |charon ||06[IKE] IKE_SA con1000[14] state change: DELETING => DELETING|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> IKE_SA con1000[14] state change: ESTABLISHED => DELETING|
|Jan 11 10:11:22 |charon ||06[IKE] IKE_SA con1000[14] state change: ESTABLISHED => DELETING|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> deleting IKE_SA con1000[14] between 193.117.157.28[193.117.157.28]…51.52.216.189[51.52.216.189]|
|Jan 11 10:11:22 |charon ||06[IKE] deleting IKE_SA con1000[14] between 193.117.157.28[193.117.157.28]…51.52.216.189[51.52.216.189]|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> received DELETE for IKE_SA con1000[14]|
|Jan 11 10:11:22 |charon ||06[IKE] received DELETE for IKE_SA con1000[14]|
|Jan 11 10:11:22 |charon ||06[ENC] <con1000|14> parsed INFORMATIONAL_V1 request 4130551585 [ HASH D ]|
|Jan 11 10:11:22 |charon ||06[ENC] parsed INFORMATIONAL_V1 request 4130551585 [ HASH D ]|
|Jan 11 10:11:22 |charon ||06[NET] <con1000|14> received packet: from 51.52.216.189[500] to 193.117.157.28[500] (92 bytes)|
|Jan 11 10:11:22 |charon ||06[NET] received packet: from 51.52.216.189[500] to 193.117.157.28[500] (92 bytes)|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> nothing to initiate|
|Jan 11 10:11:22 |charon ||06[IKE] nothing to initiate|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> activating new tasks|
|Jan 11 10:11:22 |charon ||06[IKE] activating new tasks|
|Jan 11 10:11:22 |charon ||06[NET] <con1000|14> sending packet: from 193.117.157.28[500] to 51.52.216.189[500] (92 bytes)|
|Jan 11 10:11:22 |charon ||06[NET] sending packet: from 193.117.157.28[500] to 51.52.216.189[500] (92 bytes)|
|Jan 11 10:11:22 |charon ||06[ENC] <con1000|14> generating INFORMATIONAL_V1 request 2306112802 [ HASH N(DPD_ACK) ]|
|Jan 11 10:11:22 |charon ||06[ENC] generating INFORMATIONAL_V1 request 2306112802 [ HASH N(DPD_ACK) ]|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> activating ISAKMP_DPD task|
|Jan 11 10:11:22 |charon ||06[IKE] activating ISAKMP_DPD task|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> activating new tasks|
|Jan 11 10:11:22 |charon ||06[IKE] activating new tasks|
|Jan 11 10:11:22 |charon ||06[IKE] <con1000|14> queueing ISAKMP_DPD task|
|Jan 11 10:11:22 |charon ||06[IKE] queueing ISAKMP_DPD task|
|Jan 11 10:11:22 |charon ||06[ENC] <con1000|14> parsed INFORMATIONAL_V1 request 1079314020 [ HASH N(DPD) ]|
|Jan 11 10:11:22 |charon ||06[ENC] parsed INFORMATIONAL_V1 request 1079314020 [ HASH N(DPD) ]|
|Jan 11 10:11:22 |charon ||06[NET] <con1000|14> received packet: from 51.52.216.189[500] to 193.117.157.28[500] (92 bytes)|
|Jan 11 10:11:22 |charon ||06[NET] received packet: from 51.52.216.189[500] to 193.117.157.28[500] (92 bytes)|

the draytek is a vigor 2862.


#5

@Shadowbane my pfsense is running on a virtual machine in a cloud server. I have an OpenVPN connection to it running fine. draytek is a vigor 2862. The connection I want is just an IPsec tunnel between the two routers, sorry not quite sure if I need anything else for it to work, its just a router to router connection if that makes sense


#6

IPSec has two parts to it. A Phase 1 and Phase 2.

Your phase 1 defines the connection. So the Remote IP, the Authentication, the encryption and a few other tune-ables.

The Phase 2 defines the networks. What mode you’re running in, what local network you wish to connect with what remote network and the key exchanges.

By the sounds of it you have your Phase 1 setup and working (as it is establishing a connection), have you defined you phase 2’s?

If you have, I don’t know how the Draytek handles it but on the PfSense side you need to define a firewall rule under the IPsec header. (Source: Being the remote network and destination: Being the local network). (Also if you do not have like a LAN to any rule, a rule specifying the LAN can to the remote Network)


#7

wow, i think it was a firewall issue. I had tried having a firewall rule to allow all IP’s to all sources (just for testing) but it seems to be holding now. thanks for the help and I’ll reply later to say if it’s till working


#8

ok so it still only stays established for around 45 seconds but re-establishes almost instantly. I guess this is something to do with the keep-alive or something to the same effect?


#9

I had a hunch you where running Pfsense in the cloud, Unfortunately, I have never gotten Pfsense to run very well in a virtualized environment, but there are some other members that have gotten Pfsense to run very well in a virtualized environment, they should be able to help you or at least point you in the right directon.


#10

I’ll keep that in mind for future troubleshooting. If i may pick everyone’s brain again I’ve kind of confused myself with how to communicate with with LAN from changing all the settings (and am frankly terrified of changing anything now its working).

if anyone is still here these are the network settings for the draytek image

image

Here is the P2 on pfsense https://screenshots.firefox.com/ismmL1JeCya5cV8G/192.168.251.1

not sure which IP’s need to be the same or how the LAN needs to be configured


#11

@Gurney I think the reason the connection for the tunnel is collapsing the Draytek router isn’t confirgered properly. I don’t have time today to read the manual but I do tomorrow. If you need this fix right away, I would contact your IPS provider, and see if they can figure out why it won’t work. I suspect you have the wrong IP address in the wrong fields but without looking at the manual I am just guessing.


#12

I am going to presume that in your screenshots of the Draytek you have redacted your WAN IP and Gateway IP.

Your IP ranges on each device need to be opposite of each other. So say the Draytek local network needs to be defined as the remote network on the pfsense box. Whilst the Pfsense Local Network is the remote network on the Draytek end.

As for the Remote Network IP (in the Draytek config) that looks fine as with the CIDR mask below it (Remote Network Mask) you’ve specified a network address.
However for the local Network IP you’ve specified a host address. This will not work with IPSec. With the specified Local Network Mask your Local Network IP should be 192.168.2.0

As for the Pfsense side, It can be a little slow to initiate connections when specifying auto for the encryption algorithms. I would definitely check the Perfect Forward Security (PFS) matches the Draytek end as this would easily block off phase 2 initiation.

Bear in mind for each Profile Index added on the Draytek requires that you add another phase 2 on the pfsense side.

If this can wait, I have one of these Draytek routers sat in a box somewhere that I can test with tomorrow.


#13

I see laminator we are thinking along the same lines, except I assumed Gurney hadn’t redacted his Wan IP and Gatteway UP and had maybe put the wrong IP address in the wrong fields or hadn’t setup the firewall for the Drsytek correctly.