Site to Site VPN with Draytek Router

Hi, I have exactly the same issue ie. IPsec VPN with Draytek and XG not working. Did you manage to get this working?

Thanks

Are you able to post your Sophos and DrayTek settings? I'm happy to look at them if you post them. That's probably the first thing to check, and if that doesn't reveal an issue, using tcpdump on the XG would be a good step too.

Thanks Noel. I will do that right away. appreciate your offer of help

Sorry for the delay, changes to settings were being tested.

Here are some of the Draytek settings

and here are the equivalent XG

I can do more screenshots if you need them.

Charles

Forgot to mention that we have two remote sites, both with the same IPsec policy. One of them will connect for a while, sometimes for an hour so but will eventually go down. The other one won't connect at all. Very odd.

Forgot to mention that we have two remote sites, both with the same IPsec policy. One of them will connect for a while, sometimes for an hour so but will eventually go down. The other one won't connect at all. Very odd.

OK, so you're dialling from the DrayTek to the Sophos. The settings I use are listed below.

On the DrayTek:

• Call direction; Dial Out
• Always On: enabled
• Type of server: IPsec, IKEv2
• Authentication method:  Pre-SharedKey
• IPsec Security method: High, AES with Authentication [Phase 1: AES256_SHA256_G14; Phase 2: AES256_SHA256; Phase 1 lifetime: 28800; Phase 2 lifetime: 3600; PFS enabled]
• From the first subnet to remote network, you have to do: Route

On the XG, VPN profile:

• Connection type: Site to site
• Gateway type: respond only

On the XG, IPsec policy:

• Key exchange: IKEv2
• Re-key connection: disabled
• Phase 1: DH Group: 14; Encryption: AES256; Authentication: SHA2 256
• Phase 2: PFS Group 14; Encryption: AES256; Authentication: SHA2 256
• Dead peer detection: disabled

The settings I've given are slightly different in that the encryption is stronger, and I would suggest updating it as best practice and future-proofing. G14 is much stronger than G5, performance good, so if it's an option, it's strongly advised. However, it's probably not the solution to the issue here (although obviously I can vouch I have made the above configuration work!)

Your screenshot from the XG doesn't have the Key life, Re-key margin and randomise re-keying options greyed out. They should be (on SFOS 18 certainly) as they only apply on dial out. I suspect at least part of the problem is that the XG has re-keying of the connection enabled, and that would explain why sometimes you see a tunnel and it goes down. Essentially, re-keying a dial in connection will cause the XG to kill the connection when it hits the randomised re-key time.

If you check/update those settings, does it help at all?

Thanks for these settings Noel. The issue is now resolved, but only by switching to a different broadband line at head office. Difficult to know what is the issue on the original line but I will update if I get anything useful back from our internet provider. Thanks again.

OK, have you checked your firewall settings on the XG to make sure you don't have anything redirecting ports 500 or 4500 elsewhere, e.g. a VPN server? Sounds like capturing the traffic using tcpdump on the XG is the best thing to do, so you can verify if traffic is hitting it. I wouldn't bother with the GUI log viewer - tcpdump will give you far more useful information.

Thanks, will do.