IPSec VPN behind 3G private network (Draytek to Mikrotik)

howdey57 · January 4, 2015, 5:52pm

I am trying to create a VPN from a Draytek router (2830) to a Mikrotik router (RB2011), but cannot. I have previously done this between two Drayteks (one connecting using 3G), so I know it is possible. I also know my VPN settings should work because I have created an identical VPN between another Draytek (connected via ADSL) to the Mikrotik

The set up is: LAN >> Draytek 2830 >> via 3G Mobile Network >> Internet >> Mikrotik (RB2011)

The addresses are:
192.168.0.1 (Draytek LAN)
/
10.xxx.xxx.209 (WAN seen by the Draytek)
/
80.xxx.xxx.213 (Draytek actual WAN eventually seen by Mikrotik - given by exit point from 3G provider)
/
86.xxx.xxx.121 (WAN)
/
192.168.1.1 (Mikrotik LAN)

I am using a script to update the draytek src address on the Mikrotek to 10.215.54.209 (via DDNS).

I suspect this does not work because of the private IP given by the mobile provider. This was not a problem when going draytek to draytek because they did not care where the VPN came from.

Has anyone created an IPSec VPN from behind a 3G private address???

Help much appreciated!!

Charles

janculis · January 7, 2015, 12:53pm

Many devices cannot deal with IPSec. And many devices can only deal with one IPSec connection.
I think your device cannot work with IPSec protocol.

howdey57 · January 8, 2015, 9:50pm

I have managed to get a request from the Draytek to the Mikrotik by finding the IP address the Draytek is using (by seeing the UDP traffic on Port 500 on the Mikrotik firewall).

The problem is that the connection is not made even though I have an identical set up between another Draytek to the Mikrotik which does connect.

The logs are very difficult for me to interpret and I would be prepared to load them up here but am worried about security. If I load them here without changing the details, will someone be able to use them to hack my system? What do I obfuscate before I load them?

Charles

howdey57 · January 10, 2015, 5:18pm

After a VERY long time trying to make this work, I have found the solution.

In the end, to connect from a Draytek (2830) to a Mikrotik( RB2011) when the Draytek is NATed behind an IP address provided by a 3G mobile operator I had to do the following:

1. On the Draytek, in the IPSec settings, make sure, for “From first subnet to remote network, you have to do” is “Route”.

Use Aggressive mode.
Use the IP address on the Mikrotik that the Mikrotik sees (not the external IP address the Draytek has) because the Draytek’s address will be NATed again by the 3G Network operator. The way I know the IP address to use is is by logging all attempts to get to Port 500 on the Mirkotik firewall.

The rest is just standard IPSec settings on both routers.

The next challegne I have is how to automatically pick up the address (of the Draytek) that the Mikrotik needs.

HTH

Charles