31
Virtual private networks / IPsec migrating to Connections [new] for Draytek 286x routers
« on: August 29, 2023, 01:37:43 pm »
Before I consider upgrading to 23.7 I need to migrate 24 VPN's currently configured via Tunnel Settings to Connections [new] .
While I have already moved some of the OPNsense to OPNsense tunnels I have still to get a Draytek tunnel running.
They are all currently configured using the same template, so if I get get one running I'll be able to get the rest done.
Draytek configuration:
- Dial-out, Always on
- IKEv2
- PSK
- AES with authentication
- IKE Phase 1 aes256/sha256/dh14 [aes256-sha256-modp2048]
I have also tried aes256/sha256/dh21 [aes256-sha256-ecp521]
- IKE Phase 2 aes256/sha256
- IKE phase 1 key lifetime 86400
- IKE phase 2 key lifetime 86400
- pfs enabled
I have also created and tested a Draytek profile that will handle dial-in and Dial-out to see if this would work.
The reason for the Dial-out setting is that a few of the Draytek sites have more than one subnet. If the OPNsense firewall originates the connection then only the primary subnet SA establishes. If the Draytek router originates the connection then all SA's establish.
As already noted in the forum, and when I migrated an OPNsense to OPNsense tunnel, the ESP rules were not automatically created. From watching the traffic I have created rules to cover ESP, ISAKMP and IPsec NAT-T.
One thing I am not sure about is that having created a Pre-Shared Key entry for the connection using an email addresses as the Local Identifier, that this email address is what is used in the Local Authentication Id field when Authentication is Pre-Shared Key (which is what I have used).
If anyone has managed to get a Connections [new] for Draytek router I would appreciate any tips.
While I have already moved some of the OPNsense to OPNsense tunnels I have still to get a Draytek tunnel running.
They are all currently configured using the same template, so if I get get one running I'll be able to get the rest done.
Draytek configuration:
- Dial-out, Always on
- IKEv2
- PSK
- AES with authentication
- IKE Phase 1 aes256/sha256/dh14 [aes256-sha256-modp2048]
I have also tried aes256/sha256/dh21 [aes256-sha256-ecp521]
- IKE Phase 2 aes256/sha256
- IKE phase 1 key lifetime 86400
- IKE phase 2 key lifetime 86400
- pfs enabled
I have also created and tested a Draytek profile that will handle dial-in and Dial-out to see if this would work.
The reason for the Dial-out setting is that a few of the Draytek sites have more than one subnet. If the OPNsense firewall originates the connection then only the primary subnet SA establishes. If the Draytek router originates the connection then all SA's establish.
As already noted in the forum, and when I migrated an OPNsense to OPNsense tunnel, the ESP rules were not automatically created. From watching the traffic I have created rules to cover ESP, ISAKMP and IPsec NAT-T.
One thing I am not sure about is that having created a Pre-Shared Key entry for the connection using an email addresses as the Local Identifier, that this email address is what is used in the Local Authentication Id field when Authentication is Pre-Shared Key (which is what I have used).
If anyone has managed to get a Connections [new] for Draytek router I would appreciate any tips.