A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

TP-Link to Vigor VPN



 
 
Thread Tools Display Modes
  #1  
Old January 30th 14, 06:12 PM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default TP-Link to Vigor VPN

I have VPNs set up between different models of Vigor router. All are
LAN-to-LAN connections, so I provide the IP addresses, LAN addresses,
and specify IKE pre-shared key with High (ESP) AES with authentication.

Now trying to set up a similar connection between a Vigor and a TP-Link
TD-W8960N and struggling to get it working. TP-Link has latest
firmware, version TD-W8960N_V4_120912

First test is from the Vigor router to the TP-link.

The TP-link log shows an incoming request, with the correct IP
addresses, then lines like this:

racoon: INFO:received Vendor ID: DPD
racoon: INFO:received Vendor ID: RFC 3947
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-00

After a while it reports "error phase 1 negotiation failed due to time up"

I see the same error despite trying different settings on the TP-link
for Encryption algorithm, integrity algorithm, and Diffie-Hellman group;
for both phase 1 and phase 2.

Has anybody got a similar set-up working and can suggest the correct
settings, please?

TIA

--
Graham J
  #2  
Old January 30th 14, 09:42 PM posted to uk.telecom.broadband
alexd
external usenet poster
 
Posts: 1,765
Default TP-Link to Vigor VPN

Graham J (for it is he) wrote:

I have VPNs set up between different models of Vigor router. All are
LAN-to-LAN connections, so I provide the IP addresses, LAN addresses,
and specify IKE pre-shared key with High (ESP) AES with authentication.


What authentication? IME, it's not 'normal' to use xauth on a site to site
tunnel, or at least, I don't, and I don't recall seeing a field in the TP-
Link VPN policy page to do so.

racoon: INFO:received Vendor ID: DPD
racoon: INFO:received Vendor ID: RFC 3947
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-00


You might be able to get more out of the logs by changing the log level and
the display level on the TP-Link. ISTR default is to log at 'debug' level
but only display 'error' level.

After a while it reports "error phase 1 negotiation failed due to time up"


Either phase 1 doesn't match, or traffic isn't reaching either end as
expected [firewall rules].

I see the same error despite trying different settings on the TP-link
for Encryption algorithm, integrity algorithm, and Diffie-Hellman group;
for both phase 1 and phase 2.


It's no good guessing. They need to match what's in the Vigor. A reboot or
five never hurts the TP-Link, either.

Has anybody got a similar set-up working and can suggest the correct
settings, please?


I've got them [same model] working with IPsec to Sonicwall and Cisco (IOS)
routers. As I recall, it was "obvious"; the VPN policy page contains a
number of parameters and so long as they match at both sides it brings the
tunnel up. If the parameters don't match, one end or the other will log it.

--
http://ale.cx/ (AIM:troffasky) )
21:21:59 up 29 days, 0 min, 7 users, load average: 0.72, 0.48, 0.46
"If being trapped in a tropical swamp with Anthony Worral-Thompson and
Christine Hamilton is reality then I say, pass the mind-altering drugs"
-- Humphrey Lyttleton

  #3  
Old January 30th 14, 11:58 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default TP-Link to Vigor VPN

On 30/01/14 18:12, Graham J wrote:
I have VPNs set up between different models of Vigor router. All are
LAN-to-LAN connections, so I provide the IP addresses, LAN addresses,
and specify IKE pre-shared key with High (ESP) AES with authentication.

Now trying to set up a similar connection between a Vigor and a TP-Link
TD-W8960N and struggling to get it working. TP-Link has latest
firmware, version TD-W8960N_V4_120912

First test is from the Vigor router to the TP-link.

The TP-link log shows an incoming request, with the correct IP
addresses, then lines like this:

racoon: INFO:received Vendor ID: DPD
racoon: INFO:received Vendor ID: RFC 3947
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-00

After a while it reports "error phase 1 negotiation failed due to time up"

I see the same error despite trying different settings on the TP-link
for Encryption algorithm, integrity algorithm, and Diffie-Hellman group;
for both phase 1 and phase 2.

Has anybody got a similar set-up working and can suggest the correct
settings, please?


Not me. My TPlink came with all sorts of port redirect and firewall
stuff. None of it actually worked.

But it looks good on the box and the spec sheet doesn't it?

If you want a cheap domestic basic router thats a doddle to set up,. buy
a tplink.

If you want a router with advanced features that actually work, dont.


TIA



--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

  #4  
Old February 1st 14, 08:50 AM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default TP-Link to Vigor VPN

alexd wrote:
Graham J (for it is he) wrote:

I have VPNs set up between different models of Vigor router. All are
LAN-to-LAN connections, so I provide the IP addresses, LAN addresses,
and specify IKE pre-shared key with High (ESP) AES with authentication.


What authentication? IME, it's not 'normal' to use xauth on a site to site
tunnel, or at least, I don't, and I don't recall seeing a field in the TP-
Link VPN policy page to do so.

racoon: INFO:received Vendor ID: DPD
racoon: INFO:received Vendor ID: RFC 3947
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-00


You might be able to get more out of the logs by changing the log level and
the display level on the TP-Link. ISTR default is to log at 'debug' level
but only display 'error' level.

After a while it reports "error phase 1 negotiation failed due to time up"


Either phase 1 doesn't match, or traffic isn't reaching either end as
expected [firewall rules].

I see the same error despite trying different settings on the TP-link
for Encryption algorithm, integrity algorithm, and Diffie-Hellman group;
for both phase 1 and phase 2.


It's no good guessing. They need to match what's in the Vigor. A reboot or
five never hurts the TP-Link, either.

Has anybody got a similar set-up working and can suggest the correct
settings, please?


I've got them [same model] working with IPsec to Sonicwall and Cisco (IOS)
routers. As I recall, it was "obvious"; the VPN policy page contains a
number of parameters and so long as they match at both sides it brings the
tunnel up. If the parameters don't match, one end or the other will log it.

I now have it working.

I gave up and set up the "virtual server" as a stopgap fto access a PC
at the rmote site.

Took to site in order to evaluate performance on a noisy line.

This of course involved a reboot!

Your line " A reboot or five never hurts the TP-Link, either." - that's
the winner!

So I now have the more-or-less random settings in the TP-Link which I
left it with after the last failed test in my workshop - and these work.
The logs suggest it tried various authentication methods and
eventually worked.

It's a very irritating router to work with, so I will write a reasoned
critique when I've calmed down!

--
Graham J
  #5  
Old February 1st 14, 10:23 AM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default TP-Link to Vigor VPN

On 01/02/14 08:50, Graham J wrote:
alexd wrote:
Graham J (for it is he) wrote:

I have VPNs set up between different models of Vigor router. All are
LAN-to-LAN connections, so I provide the IP addresses, LAN addresses,
and specify IKE pre-shared key with High (ESP) AES with authentication.


What authentication? IME, it's not 'normal' to use xauth on a site to
site
tunnel, or at least, I don't, and I don't recall seeing a field in the
TP-
Link VPN policy page to do so.

racoon: INFO:received Vendor ID: DPD
racoon: INFO:received Vendor ID: RFC 3947
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
racoon: INFO:received Vendor ID: draft-ietf-ipsec-nat-t-ike-00


You might be able to get more out of the logs by changing the log
level and
the display level on the TP-Link. ISTR default is to log at 'debug' level
but only display 'error' level.

After a while it reports "error phase 1 negotiation failed due to
time up"


Either phase 1 doesn't match, or traffic isn't reaching either end as
expected [firewall rules].

I see the same error despite trying different settings on the TP-link
for Encryption algorithm, integrity algorithm, and Diffie-Hellman group;
for both phase 1 and phase 2.


It's no good guessing. They need to match what's in the Vigor. A
reboot or
five never hurts the TP-Link, either.

Has anybody got a similar set-up working and can suggest the correct
settings, please?


I've got them [same model] working with IPsec to Sonicwall and Cisco
(IOS)
routers. As I recall, it was "obvious"; the VPN policy page contains a
number of parameters and so long as they match at both sides it brings
the
tunnel up. If the parameters don't match, one end or the other will
log it.

I now have it working.

I gave up and set up the "virtual server" as a stopgap fto access a PC
at the rmote site.

Took to site in order to evaluate performance on a noisy line.

This of course involved a reboot!

Your line " A reboot or five never hurts the TP-Link, either." - that's
the winner!

So I now have the more-or-less random settings in the TP-Link which I
left it with after the last failed test in my workshop - and these work.
The logs suggest it tried various authentication methods and
eventually worked.

It's a very irritating router to work with, so I will write a reasoned
critique when I've calmed down!

Don't bother.

My reasoned critique is 'fast basic cheap single user router: For
everything else, buy something else'



--
Ineptocracy

(in-ep-toc'-ra-cy) - a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

  #6  
Old February 1st 14, 10:41 AM posted to uk.telecom.broadband
alexd
external usenet poster
 
Posts: 1,765
Default TP-Link to Vigor VPN

Graham J (for it is he) wrote:

So I now have the more-or-less random settings in the TP-Link which I
left it with after the last failed test in my workshop - and these work.
The logs suggest it tried various authentication methods and
eventually worked.


Thinking about it, does the Draytek try to 'guess' the far end's IPsec
settings [ie cycle through different options]? If so, that would explain why
the logs on the TP-Link show multiple IPsec modes being received, and I
reckon this confuses or overwhelms the poor little underpowered thing. If
you just set the Draytek to manual, that should solve the problem.

Having said all of the above, let's not forget that we're talking about a
30 router here - if you can live with its quirky [that's polite for "buggy
as ****"] behaviour then it's a bargain.

It's a very irritating router to work with, so I will write a reasoned
critique when I've calmed down!


Hey, it's usenet - no need to be reasoned :-S

--
http://ale.cx/ (AIM:troffasky) )
10:36:02 up 30 days, 13:14, 7 users, load average: 0.44, 0.34, 0.33
"If being trapped in a tropical swamp with Anthony Worral-Thompson and
Christine Hamilton is reality then I say, pass the mind-altering drugs"
-- Humphrey Lyttleton

  #7  
Old February 1st 14, 12:11 PM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default TP-Link to Vigor VPN

alexd wrote:
Graham J (for it is he) wrote:

So I now have the more-or-less random settings in the TP-Link which I
left it with after the last failed test in my workshop - and these work.
The logs suggest it tried various authentication methods and
eventually worked.


Thinking about it, does the Draytek try to 'guess' the far end's IPsec
settings [ie cycle through different options]? If so, that would explain why
the logs on the TP-Link show multiple IPsec modes being received, and I
reckon this confuses or overwhelms the poor little underpowered thing. If
you just set the Draytek to manual, that should solve the problem.


I think you're right about that. Certainly the Draytek "Advanced"
button shows "Main mode" and IKE phase 1 with 7 options and Phase 2 with
two options - so I guess it tries them all, but no idea which order

I will get another TP-link and do some more serious workshop testing,
with a reboot every time I change a setting.

Having said all of the above, let's not forget that we're talking about a
30 router here - if you can live with its quirky [that's polite for "buggy
as ****"] behaviour then it's a bargain.

It's a very irritating router to work with, so I will write a reasoned
critique when I've calmed down!


Hey, it's usenet - no need to be reasoned :-S


OK here goes - just the problems I've found:

Set up, and save configuration file.

Note there is a firmware upgrade available, so install it. This resets
router to factory default!

Try to restore from saved configuration file - fails, incompatibility
error! I've not tried restoring a config file from the new firmware, so
I don't know whether it is a restore problem or an incompatibility
between different versions of firmware.

Access control - can enable web, telnet, ping; but no restriction as to
the IP address access is allowed from. So reliant only on password for
protection. Not investigated whether firewall will provide suitable
control.

IPSec: IKE pre-shared key length is limited to 15 characters. RFC2409
says between 8 and 256 characters, Cisco generally specify between 8 and
64 characters.

Configuration of RoouterStats 6.8k - can capture speed and error counts,
but not the SNR margins. This of course might be a problem with
RouterStats - but I can configure it OK for the Draytek.

--
Graham J






  #8  
Old February 2nd 14, 09:12 PM posted to uk.telecom.broadband
alexd
external usenet poster
 
Posts: 1,765
Default TP-Link to Vigor VPN

Graham J (for it is he) wrote:

OK here goes - just the problems I've found:

Set up, and save configuration file.


Works for me - I've used this method to disable NAT on these routers; the
config is plain text [well, XML anyway].

I think the v4 is different to the v3.

Note there is a firmware upgrade available, so install it. This resets
router to factory default!


Nope, not seen that.

Access control - can enable web, telnet, ping; but no restriction as to
the IP address access is allowed from. So reliant only on password for
protection. Not investigated whether firewall will provide suitable
control.


I can confirm this one :-( Would be eminently possible to fix with IPtables
that ships with the unit, if you could get root.

IPSec: IKE pre-shared key length is limited to 15 characters. RFC2409
says between 8 and 256 characters, Cisco generally specify between 8 and
64 characters.


Wasn't aware of this.

Configuration of RoouterStats 6.8k - can capture speed and error counts,
but not the SNR margins. This of course might be a problem with
RouterStats - but I can configure it OK for the Draytek.


Does it use SNMP? I noticed there is some stuff from the VDSL stats MIB on
there - on a unit that has an ADSL not VDSL modem [although who knows,
perhaps the chipset does both].

--
http://ale.cx/ (AIM:troffasky) )
21:06:27 up 31 days, 23:45, 7 users, load average: 0.28, 0.26, 0.30
"If being trapped in a tropical swamp with Anthony Worral-Thompson and
Christine Hamilton is reality then I say, pass the mind-altering drugs"
-- Humphrey Lyttleton

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Vigor(.co.uk?) - Anyone tried them (yet)? News Reader uk.telecom.voip (UK VOIP) 8 October 31st 06 08:00 PM
D-Link DGS-1008D and D-Link DWL-2000AP+ problem Mal Franks uk.comp.home-networking (UK home networking) 0 May 11th 05 03:30 PM
d-link 300t - d-link 614+ - d-link 800ap+ Bill Middleton uk.comp.home-networking (UK home networking) 2 November 30th 04 11:35 PM
Vigor 2600+ Morgoth uk.telecom.broadband (UK broadband) 26 May 5th 04 09:37 PM
Problem with Vigor 2600G & Vigor 540 card Mark Lepak uk.telecom.broadband (UK broadband) 7 April 3rd 04 07:44 AM


All times are GMT +1. The time now is 01:43 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.