Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN with Draytek Router

Tharindu Premarathne

Hi Guys,

Can anyone tell me how to configure IPsec VPN between Draytek and Sophos xg. I already create the IPSec policy and the connection but VPN is not established. I double-checked the Phase 1 and 2 parameters with the guy who configured the Draytek router, the phase 1 and 2 parameters are fine.

In the Draytek router, he configured the Dial-out VPN not a site to site 



This thread was automatically locked due to age.
  • 0

    Hi I am not able to get exact configuration steps of Draytek with Sophos XG however I found below URL which is for Dytrek and Cyberoam and may help you to match up some of the settings on router end.

    https://www.draytek.com/support/knowledge-base/5201

    If settings are fine at both the end then you may check the TCPDUMP on remote end gateway IP over XG and you may check the strongswan service logs to confirm more.

    Sophos XG Firewall: Where to find log files?

    support.sophos.com/.../KB-000038142

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0

    Can you post some pictures of your config?

  • 0

    I have a number of DrayTek routers set up this way. I find it works much better if the DrayTek dials the connection and the XG is set to respond only. Might seem a daft question, but I've seen colleagues tripped up by this before they realised... is the connection set as active (green light) in the XG in the VPN section?

  • 0

    Hi, I have exactly the same issue ie. IPsec VPN with Draytek and XG not working. Did you manage to get this working?

    Thanks

    • 0 in reply to charles kavazy

      Are you able to post your Sophos and DrayTek settings? I'm happy to look at them if you post them. That's probably the first thing to check, and if that doesn't reveal an issue, using tcpdump on the XG would be a good step too.

      • 0 in reply to Noel Slevin

        Thanks Noel. I will do that right away. appreciate your offer of help Slight smile

        • 0 in reply to Noel Slevin

          Sorry for the delay, changes to settings were being tested.

          Here are some of the Draytek settings

          and here are the equivalent XG

          I can do more screenshots if you need them.

          Charles

          • 0 in reply to charles kavazy

            Forgot to mention that we have two remote sites, both with the same IPsec policy. One of them will connect for a while, sometimes for an hour so but will eventually go down. The other one won't connect at all. Very odd.

            • 0 in reply to charles kavazy

              OK, so you're dialling from the DrayTek to the Sophos. The settings I use are listed below.

              On the DrayTek:

              • Call direction; Dial Out
              • Always On: enabled
              • Type of server: IPsec, IKEv2
              • Authentication method:  Pre-SharedKey
              • IPsec Security method: High, AES with Authentication [Phase 1: AES256_SHA256_G14; Phase 2: AES256_SHA256; Phase 1 lifetime: 28800; Phase 2 lifetime: 3600; PFS enabled]
              • From the first subnet to remote network, you have to do: Route

              On the XG, VPN profile:

              • Connection type: Site to site
              • Gateway type: respond only

              On the XG, IPsec policy:

              • Key exchange: IKEv2
              • Re-key connection: disabled
              • Phase 1: DH Group: 14; Encryption: AES256; Authentication: SHA2 256
              • Phase 2: PFS Group 14; Encryption: AES256; Authentication: SHA2 256
              • Dead peer detection: disabled

              The settings I've given are slightly different in that the encryption is stronger, and I would suggest updating it as best practice and future-proofing. G14 is much stronger than G5, performance good, so if it's an option, it's strongly advised. However, it's probably not the solution to the issue here (although obviously I can vouch I have made the above configuration work!)

              Your screenshot from the XG doesn't have the Key life, Re-key margin and randomise re-keying options greyed out. They should be (on SFOS 18 certainly) as they only apply on dial out. I suspect at least part of the problem is that the XG has re-keying of the connection enabled, and that would explain why sometimes you see a tunnel and it goes down. Essentially, re-keying a dial in connection will cause the XG to kill the connection when it hits the randomised re-key time.

              If you check/update those settings, does it help at all?

              • 0 in reply to Noel Slevin

                Thanks for these settings Noel. The issue is now resolved, but only by switching to a different broadband line at head office. Difficult to know what is the issue on the original line but I will update if I get anything useful back from our internet provider. Thanks again.

                • 0 in reply to charles kavazy

                  OK, have you checked your firewall settings on the XG to make sure you don't have anything redirecting ports 500 or 4500 elsewhere, e.g. a VPN server? Sounds like capturing the traffic using tcpdump on the XG is the best thing to do, so you can verify if traffic is hitting it. I wouldn't bother with the GUI log viewer - tcpdump will give you far more useful information.

                Unfiltered HTML