Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 1 subscriber
  • Views 2126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG220 to Draytek Vigor 2820 issue

dtnws
Hi,

I am trying to connect an ASG220 appliance to a Draytek Vigor2820 ADSL router with a PSTN backup.

Because I want to use the PSTN backup in the event of an ADSL outage, the VPN *must* be built using an X.509 certificate because the external IP adresses will change. I cannot manually change the endpoint to the PSTN IP as the Draytek to PSTN network is unroutable so the IP address the Draytek presents when using the PSTN link is not what the ASG220 expects and the ASG220 refuses to build the VPN.

I am having trouble building an X.509 based VPN between the two devices. Here is what I've done:
[LIST=1]
  • Created a CA on a windows 2003 server
  • Imported the CA certificate as a verification CA on the ASG220 and the Draytek
  • Created a CSR on the Draytek and exported it
  • Signed the CSR on the Windows 2003 server
  • Imported the resulting certificate to the ASG220 and Draytek
  • Set up a LAN to LAN vpn between the two devices using the certificate
[/LIST]

The ASG220 appears to accept the certificate but refuses to build the VPN. Any ideas why this would happen?

Here are the edited logs from the ASG220:
2008:11:19-14:07:28 (none) pluto[13543]: packet from x.x.x.x:500: received Vendor ID payload [Dead Peer Detection] 
2008:11:19-14:07:28 (none) pluto[13543]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947] 
2008:11:19-14:07:28 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
2008:11:19-14:07:28 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
2008:11:19-14:07:28 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
2008:11:19-14:07:28 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] 
2008:11:19-14:07:28 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: responding to Main Mode from unknown peer x.x.x.x 
2008:11:19-14:07:28 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: NAT-Traversal: Result using RFC 3947: no NAT detected 
2008:11:19-14:07:28 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: ignoring informational payload, type IPSEC_INITIAL_CONTACT 
2008:11:19-14:07:28 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: Peer ID is ID_DER_ASN1_DN: 'C=GB, CN=Data Tote' 
2008:11:19-14:07:28 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: we have a cert and are sending it 
2008:11:19-14:07:28 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: sent MR3, ISAKMP SA established 
2008:11:19-14:07:31 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: retransmitting in response to duplicate packet; already STATE_MAIN_R3 
2008:11:19-14:07:37 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33514: retransmitting in response to duplicate packet; already STATE_MAIN_R3 
2008:11:19-14:07:44 (none) pluto[13543]: packet from x.x.x.x:500: received Vendor ID payload [Dead Peer Detection] 
2008:11:19-14:07:44 (none) pluto[13543]: packet from x.x.x.x:500: received Vendor ID payload [RFC 3947] 
2008:11:19-14:07:44 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] 
2008:11:19-14:07:44 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
2008:11:19-14:07:44 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] 
2008:11:19-14:07:44 (none) pluto[13543]: packet from x.x.x.x:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] 
2008:11:19-14:07:44 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: responding to Main Mode from unknown peer x.x.x.x 
2008:11:19-14:07:44 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: NAT-Traversal: Result using RFC 3947: no NAT detected 
2008:11:19-14:07:44 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: ignoring informational payload, type IPSEC_INITIAL_CONTACT 
2008:11:19-14:07:44 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: Peer ID is ID_DER_ASN1_DN: 'C=GB, CN=' 
2008:11:19-14:07:44 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: we have a cert and are sending it 
2008:11:19-14:07:44 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: sent MR3, ISAKMP SA established 
2008:11:19-14:07:47 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: retransmitting in response to duplicate packet; already STATE_MAIN_R3 
2008:11:19-14:07:53 (none) pluto[13543]: "S_hawkfield-bt_0"[1] x.x.x.x #33515: retransmitting in response to duplicate packet; already STATE_MAIN_R3 

Any help appreciated!

Cheers,

Geoff


This thread was automatically locked due to age.
Cookie Information Banner