Draytek Vigor2200 <-> FreeS/WAN HOWTO


Niels - January 24, 2002
Heads up!    This post was written 19 years ago.

Situation

Assumptions

Instructions

First, create a PSK (pre-shared key) using the ipsec ranbits command:

vm:~# ipsec ranbits --continuous 128 
0x6672dd8b3f15227556b606f9f624c3da
vm:~#

Access the Vigor2200 through it's web interface. Go through the screens mentioned below and configure accordingly. You must of course replace the secret key with your own one created above.


This screen is pretty straight forward. We configure the pre-shared key and tell the Vigor to both authenticate and encrypt using 3DES.

Vigor IKE/IPSec Setup

Dial-in Set up
IKE Authentication method
Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
Re-type Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
IPSec Security Method
Select High(ESP) and 3DES

Dial-out
IKE Authentication method
Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da
Re-type Pre-Shared Key: 0x6672dd8b3f15227556b606f9f624c3da

This is a screen has a lot of things, but most things on the right (except for dial direction and idle-timeout) can be ignored because they apply only to ISDN usage.

LAN-to-LAN Dialer Profile Setup

Common Setup
Profile Name: ipsecvm
Select Enable this profile
Call Direction: select Both
Idle Timeout: 900

Dial-Out Settings
Username: leave empty, or leave ???
Password: leave empty
Server IP: 123.123.123.123
Type of Server I am Calling: select IPSec Tunnel
Select High(ESP) and 3DES with Authentication

Scheduler(1-15): 1 (or whatever number you give your schedule
profile)

Dial-In Settings
Username: leave empty, or leave ???
Password: leave empty
Select Enable CLID
Peer VPN Server IP: 123.123.123.123
Allowed Dial-In Type: Select IPSec Tunnel

TCP/IP Network Settings
My WAN IP: 0.0.0.0
Remote Gateway: 123.123.123.123
Remote Network: 10.2.0.0
Remote Netmask: 255.255.0.0

For NAT operation, treat remote sub-net as: Private IP


This screen enables the auto-dial function. It's not necessary (you can start the connection on either side manually), but it is very convienient ;-)

Call Schedule Setup

Select Enable Schedule Setup
Start Date: 2000-1-1
Start Time: 0:0
Duration: 23:59
Action: select enable dial-on-demand
Idle Timeout: 0
How Often: select weekdays and sun, mon, etc

FreeS/WAN

Now we go setup the FreeS/WAN config files.

leftnexthop is usually the default gateway on the linux box. rightnexthop is usually the default gateway for the vigor.

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes

conn %default
        keyingtries=3
        keylife=3600s
        ikelifetime=480m
        authby=secret
        auth=esp
        keyexchange=ike
        pfs=yes

conn peen
        esp=3des-md5-96
        left=123.123.123.123
        leftsubnet=10.2.0.0/16
        leftnexthop=123.123.123.1
        right=222.222.222.222
        rightsubnet=192.168.1.0/24
        rightnexthop=222.222.222.1
        auto=add

Below of course again replace the secret key with the one you generated earlier.

# /etc/ipsec.secrets

123.123.123.123 222.222.222.222 : PSK "0x6672dd8b3f15227556b606f9f624c3da"

Some additional hints: