I've two LANs connected over the internet. One has a Draytek Vigor 2200e (http://www.2-com.de/de/draytel-vigor2200e-dsl-broadband-vpn-router.html) router and the other had a Win2k3 Server as a router. The Vigor started an L2TP connection that worked fine.
So, now the Win2k3Server has been exchanged with an Astaro Virtual Appliance. Everything else seems to worked more or less, but the vpn connection can't be established anymore.
I've tried a lot of different configuration now, all with a preshared key:
1) Vigor's configuration untouched and Astaro as L2TP over IPsec endpoint. The logfiles gives me the following:
2008:01:21-00:01:08 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5158: responding to Main Mode from unknown peer DraytekIPaddress
2008:01:21-00:01:08 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5158: Oakley Transform [OAKLEY_DES_CBC (64), OAKLEY_MD5, OAKLEY_GROUP_MODP768] refused due to insecure key_len and enc. alg. not listed in "ike" string
2008:01:21-00:01:08 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5158: Oakley Transform [OAKLEY_DES_CBC (64), OAKLEY_SHA, OAKLEY_GROUP_MODP768] refused due to insecure key_len and enc. alg. not listed in "ike" string
2008:01:21-00:01:11 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5158: Peer ID is ID_IPV4_ADDR: 'DraytekIPaddress'
2008:01:21-00:01:11 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5158: sent MR3, ISAKMP SA established
2008:01:21-00:01:11 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5159: responding to Quick Mode
2008:01:21-00:01:11 (none) pluto[17206]: "D_REF_ouxmeLHxIM_0"[1] DraytekIPaddress #5159: IPsec SA established {ESP=>0x3e1fdea8 - '
2008:01:21-00:01:21 (none) l2tpd[27567]: init: Unable to load config file
2) Vigor set to IPsec and Astaro as IPsec endpoint
2008:01:21-08:37:54 (none) pluto[8510]: "D_REF_ouxmeLHxIM_0"[1] DraytekIP #649: Peer ID is ID_IPV4_ADDR: 'DraytekIP'
2008:01:21-08:37:54 (none) pluto[8510]: "D_REF_ouxmeLHxIM_0"[1] DraytekIP #649: sent MR3, ISAKMP SA established
2008:01:21-08:37:54 (none) pluto[8510]: "D_REF_ouxmeLHxIM_0"[1] DraytekIP #650: responding to Quick Mode
2008:01:21-08:37:54 (none) pluto[8510]: "D_REF_ouxmeLHxIM_0"[1] DraytekIP #650: IPsec SA established {ESP=>0x3e1fe189 0x3e1fe18a - '
2008:01:21-08:38:21 (none) l2tpd[16648]: init: Unable to load config file
3) So, as this didn't work, I thought I might NAT all L2TP Connections to a (new) Win2k3Server in the LAN behind Astaro.
The Win2k3Server (using the default routing and remote access daemon) doesn't seem to get anything. So I checked the Astaro packet filter log, one of the entries here is the following:
09:23:29 Default DROP UDP DraytekIP : 500 → AstaroIP : 500 len=204 ttl=246 tos=0x00
Why is it dropping a udp packet on port 500? It shouldn't be, according to the NAT Rules (see screen 1). After discovering this I explicitely forwarded IKE as another rule (even though it should be processed through the "VPN protocols"-group --> see screen 3 because of the "auto create packet filter rule").
So I thought maybe it might help to explicitely allow VPN, from both inside and outside peers (see screen 2). But it is still dropping IKE packets.
All other port forwardings (e.g. to the web/smtp server are working fine).
The 2k3 Server seems to be configured correctly as I can connect to from the LAN with a laptop using the same configuration as the Vigor (credentials, etc.).
4) PPTP as a debug connection with Astaro as endpoint
One last try was the following: I tried to iniatiate a connection from the Draytek to Astaro. As that didn't work I tried to connect from a Laptop to Astaro with the Windows built-in PPTP client. As that didn't work either I discovered that I had to use MS-Chap2 and the Draytek only supports v1.
Many approaches of which no one has been successful. Does anyone have any suggestions or experiences that might help me?
This thread was automatically locked due to age.
