Draytek Vigor2200 <-> FreeS/WAN HOWTO
- v1.00 2002/01/24 - first
- v1.01 2002/03/06 - latest firmware supports PFS and fixes accidental
- v1.02 2002/08/16 - make sure to use the scheduler in lan-lan profile pass-through of IKE packets when DMZ is used
- We have a large network 10.2.0.0/16 with a FreeS/WAN Linux box on internal IP 10.2.0.1 and external (public internet) IP 220.127.116.11
- We also have a small network 192.168.1.0/24 with a Vigor2200 on internal IP 192.168.1.1 and external (public internet) IP 18.104.22.168
- Our setup will automatically create a link between the two networks as soon as any machine on the smaller (connected to the vigor) network tries to access the larger (connected to the linux box) network.
- You have succesfully installed FreeS/WAN (For installing FreeS/WAN see http://www.freeswan.org/)
- Your Vigor2200 is up and running
- vm will be the IPSec box
- vigor will be the Vigor2200
First, create a PSK (pre-shared key) using the ipsec ranbits command:
vm:~# ipsec ranbits --continuous 128 0x6672dd8b3f15227556b606f9f624c3da vm:~#
Access the Vigor2200 through it's web interface. Go through the screens mentioned below and configure accordingly. You must of course replace the secret key with your own one created above.
This screen is pretty straight forward. We configure the pre-shared key and tell the Vigor to both authenticate and encrypt using 3DES.
Vigor IKE/IPSec Setup
Dial-in Set up IKE Authentication method Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da Re-type Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da IPSec Security Method Select High(ESP) and 3DES Dial-out IKE Authentication method Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da Re-type Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
This is a screen has a lot of things, but most things on the right (except for dial direction and idle-timeout) can be ignored because they apply only to ISDN usage.
LAN-to-LAN Dialer Profile Setup
Common Setup Profile Name: ipsecvm Select Enable this profile Call Direction: select Both Idle Timeout: 900 Dial-Out Settings Username: leave empty, or leave ??? Password: leave empty Server IP: 22.214.171.124 Type of Server I am Calling: select IPSec Tunnel Select High(ESP) and 3DES with Authentication Scheduler(1-15): 1 (or whatever number you give your schedule profile) Dial-In Settings Username: leave empty, or leave ??? Password: leave empty Select Enable CLID Peer VPN Server IP: 126.96.36.199 Allowed Dial-In Type: Select IPSec Tunnel TCP/IP Network Settings My WAN IP: 0.0.0.0 Remote Gateway: 188.8.131.52 Remote Network: 10.2.0.0 Remote Netmask: 255.255.0.0
For NAT operation, treat remote sub-net as: Private IP
This screen enables the auto-dial function. It's not necessary (you can start the connection on either side manually), but it is very convienient ;-)
Call Schedule Setup
Select Enable Schedule Setup Start Date: 2000-1-1 Start Time: 0:0 Duration: 23:59 Action: select enable dial-on-demand Idle Timeout: 0 How Often: select weekdays and sun, mon, etc
Now we go setup the FreeS/WAN config files.
leftnexthop is usually the default gateway on the linux box. rightnexthop is usually the default gateway for the vigor.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search plutowait=no uniqueids=yes conn %default keyingtries=3 keylife=3600s ikelifetime=480m authby=secret auth=esp keyexchange=ike pfs=yes conn peen esp=3des-md5-96 left=184.108.40.206 leftsubnet=10.2.0.0/16 leftnexthop=220.127.116.11 right=18.104.22.168 rightsubnet=192.168.1.0/24 rightnexthop=22.214.171.124 auto=add
Below of course again replace the secret key with the one you generated earlier.
# /etc/ipsec.secrets 126.96.36.199 188.8.131.52 : PSK "0x6672dd8b3f15227556b606f9f624c3da"
Some additional hints:
- The Vigor2200 supports IPSec only if the firmware is 2.00 of later.
- The keylife and ikelifetime above match those of the Vigor. If you use different values, results are unpredictable.