Monday, February 18, 2013

IPsec VPN to Draytek 2820 routers

I had a terrible fight getting my Linux box to connect and talk to my Draytek routers using a IPSec VPN.

There was little information about, and nothing concrete.

So I am recording here how I did it.

I wanted to use IPSec VPN tunnels in my routers as it is built in, and I had a number of VPN tunnels between routers that were already running with this method

I was running CentOS 5 with my favourite distro contribs.org on a VPS server and wanted to create a IPSec VPN tunnel to the Draytek.

I tried various different implementations of IPsec but at the end of the day I used Openswan.

my ipsec.conf looked like this :

# basic configuration
config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
    # This is enabled currently
    klipsdebug=all
    plutodebug="control parsing"
    interfaces=%defaultroute
    oe=no
    protostack=netkey
    syslog=syslog.debug
    # These are the two local nets I am tunelling
    virtual_private=%v4:10.1.0.0/24,%v4:192.168.88.0/24

conn net-to-net
    type=tunnel
    authby=secret
    auto=start
    ikelifetime=28800s
    keylife=3600s
    left=%defaultroute
   # This is the VPS Server
    leftsourceip=192.168.88.1
    leftsubnet=192.168.88.0/24
    pfs=yes
    dpdaction=restart
    #This is the Draytek forward facing IP address
    right=123.128.243.69
    rightsubnet=10.1.0.0/24

Put your PSK password in ipsec.secrets :

# /etc/ipsec.secrets - strongSwan IPsec secrets file
#The IP is the forward facing IP of the VPS
5.99.23.43 %any : PSK "SomeStrongPassword#"

I was advised to set the advanced IPSec conf of the Draytek as follows :

"use aes256,sha1,group14 and you also enable pfs in the advanced setting"

 Last is you need to set your iptables up correctly. My server is set in what is known as 'Server and Gateway' mode. It is meant to have two network cards, one for the outside world and the other for the internal/local network and it routes across as required. Masquerading is enabled.

I *believe* you need the following. I am no iptables guru. I think you need port 500 for ipsec.

/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK --set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT

# Not sure if this should go here but it works.
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

The last was the final bit of the jigsaw - without it I could ping from the Draytek end to the server, but not the server to the Draytek.



Fire up the last line and it all worked.

Thanks to the people on the OpenSwan list for help and guidance  and I hope this helps someone.

No comments:

Post a Comment