23 May

Draytek to Cyberoam IPSec VPN How To

How To Establish a Dial Out IPSec VPN from a Draytek Vigor 2860VN+ {FW 3.8.2.2}
to Cyberoam CR50iNG {FW-10.6.2 MR-1}

Configuration was tested with these devices but should be applicable to many models in the ranges
We need a VPN, On Demand, Dial Out, Lan to Lan,  VPN for Remote Access to the Cyberoam Site
Draytek/Cyberoam  Tech Note

Cyberoam Technote

Draytek Technote

Found this Technote and was hopeful it would work
It doesn’t, it is somewhat dated, 8 years old
The Cyberoam interface is now quite different from that in the article
Did my best to create the same setup but struggled to get it to work.

The problem is with PFS. The note implies it should be disabled on the Cyberoam
There is no setting to do this in current models
It appears that PFS is permanently ENABLED
PFS MUST Be enabled on the Draytek else the VPN Fails

CYBEROAM CONFIG
VPN > Policy
General Settings
Name = Draytek
Allow Re-Keying = Enable
Key Neg = 3
Authentication Mode = Main Mode
One or both ends with Fixed IPs. Tested with one Fixed & One Variable ADSL
DynDNS setup on ADSL
Compression = Enabled

Phase 1
Encryption = AES128    Auth = SHA1
Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended

DH Group = 2(DH1024)
Key Life = 3600
Dead Peer Detection (DPD)
Not need for Dial In on Demand VPN
Might be useful for Permanent Site to Site VPN

Phase 2
Encryption AES128    Auth SHA1

PFS(DH) group = Same as Phase1
The Mention of PFS suggests that PFS is Enabled
Confirmed by Test – Must Enable PFS on Draytek Advanced Security Tab
VPN Fails if PFS is NOT enabled

Keylife = 3600

VPN > IPSec Connection

Connection Profile
Name = Dial_In_On_Demand
Connection = Site to Site
Policy = Draytek
Action on VPN Restart = Respond Only
IE: Wait for Incoming Connection – Dial In from Draytek Router

Authentication = Preshared Key = A Good Secure Phrase

EndPoint Details – Local = Select WAN Port X (Public IP)
Remote = DynDNSName of Draytek Router
* will allow ANY IP to connect (Useful for setup & Testing
However it is probably a good idea specify the remote Gateway to prevent Hacking / Spoofing
Use IP Address or DNS Name for Fixed Public IPS
A DYNDNS name Works for a Variable IP Address

Local Network Details
Local Subnet – Local Lan Network Address EG 192.168.1.0/24
Local ID – Choose Select Local ID – Leave Blank

Remote Network Details
Allow Nat Traversal – not, if both ends have public IP
Remote LAN Network = Network Address of LAN behind Remote Draytek Router
EG 172.16.10.0/24
Remote ID – Choose Select Remote ID and leave blank

User Authentication – Default
Quick Mode Selectors – Default
Advanced – Default

DRAYTEK CONFIG

VPN > Remote Access Control > Enable IPSec
Lan to Lan > Profile
1.Common Settings
Name = Cyberoam-DialOut
Enable
Dial Out through Wan1 First (or as per the WAN Setup)
Call Direction – Dial Out
Idle Time out = 300 Sec  (Always On for Setup & Testing)

2. Dial Out Settings
IPSec Tunnel
VPN Server/Gateway/Host = IP or HostName of Cyberoam WAN Port
IKE Authentication
Pre-Shared Key = The SAME Good Secure Phrase
IPSec Security Method = High(ESP) (AES with Authentication)
Click Advanced
IKE Phase 1 = Main Mode
IKE Phase 1 Proposal = AES128_SHA1_G2
Draytek only supports SHA1 (May2016)
Ideally SHA2 or later should be used
SHA1 is now considered somewhat compromised
MD5 is vulnerable and severely compromised and not recommended

IKE Phase 2 Proposal = AES128 SHA1 / MD5
IKE Phase 1 Key Lifetime = 3600
IKE Phase 2 Key Lifetime = 3600
Perfect Forward Secret = Enable
PFS is permanenetly enabled on Cyberoam
VPN will Fail if not enabled on Draytek
Local ID – Leave Blank

If these don’t work Try AUTO – Tries a whole bunch – See Note on Config Page

3. Dial In Settings
N/A

4. TCP/IP Network Settings
My Wan IP = Default = 0.0.0.0  (Only needed for ISDN, PPTP & L2TP)
Remote Gateway IP = Default = 0.0.0.0.  (Only needed for ISDN, PPTP & L2TP)
Remote Network IP = EG 192.168.1.0/24
Appears that Either the Lan Port IP or Network IP of the LAN behind the Cyberoam are acceptable

Local Network IP = EG 172.16.10.0/24        Private Network IP of Local Site

RIP  = Optional – set as desired
Subnet = Route  Most Site to SIte VPNs will be Routed

CONNECTION ATTEMPTS & LOGS
On the Draytek, Initiate the VPN  connection, & Monitor Diagnostics > SysLog > VPN

Good Log  Read Down

Dialing Node28 (Cyberoam-DialOut) : RRR.RRR.RRR.RRR
Initiating IKE Main Mode to RRR.RRR.RRR.RRR
IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
NAT-Traversal: Using RFC 3947, no NAT detected
IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
ISAKMP SA #5736 will be replaced after 2475 seconds
ISAKMP SA established with v. In/Out Index: 0/-28

Phase 1 SA Established

Start IKE Quick Mode to RRR.RRR.RRR.RRR
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
Client L2L remote network setting is 192.168.0.0/24
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xfdf26d2b
IPsec SA #5737 will be replaced after 2996 seconds
sent QI2, IPsec SA established with RRR.RRR.RRR.RRR. In/Out Index: 0/-28

Phase 2 SA Established

[L2L][UP][IPSec][@28:Cyberoam-DialOut]

Link UP  

IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xdf90e916
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x490a3747
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x819ee015
Receive client L2L remote network setting is LLL.LLL.LLL.LLL
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc08264d5
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xa61eef62
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x102cbb83
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8739c98c
NAT GRE session 47501 time out, las time = 341208950 …
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x4ccc0d2e
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x42c9e8d1
IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x977463db
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x1563065c
IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9b684603
Receive client L2L remote network setting is LLL.LLL.LLL.LLL