Chapter 9

DrayTek Vigor

The DrayTek Vigors are fairly popular in Europe. They are cheap routers in a number of variants; some have an inbuilt ADSL modem, some also have wireless. The ADSL routers come in two versions. For ADSL with an analog line, the Annex A version should be used. For ADSL with an ISDN line, the Annex B version needs to be used.

Though the Vigors are cheap, they do have their own little issues, and it takes a little bit of time to get to know those issues. DrayTek sometimes fixes bugs in their firmware, so always check its website for firmware upgrades, but be very careful to flash the Vigors with the proper Annex version. DrayTek also responds well to email sent to its support staff, although we have had mixed results when reporting IPsec bugs in its implementation.

The Vigor Web Interface

The Vigors can be configured using a web interface. Though the username you give does not matter, with some browsers you have to fill in something or else they will not properly log in. In the default configuration, you can only configure the machine from the LAN, but the Vigor has a management menu where you can allow selective IP addresses or subnets on the Internet side to configure the Vigor remotely. Be aware though that when setting up an IPsec tunnel from the Vigor to your own subnet, you will break access to the management interface from the public IP. You will have to use the internal IP of the Vigor through the IPsec tunnel to reconfigure the Vigor. This can be slightly annoying when you are trying to configure the VPN, as depending on whether the VPN is up or not, you have to connect differently to the Vigor to manage it.

Another problem with the web interface is its pop-up boxes. Some pop-up boxes cause a looping JavaScript error in some browsers (such as Mozilla). Currently, we have only seen this behavior with the Call Schedule Setup, which is not all that important. We have also noticed that values do not always seem to be correctly filled in on a page where you have selected an Advanced option that causes a pop-up box to appear. Our advice is to always save the settings on each page, and update the pop-up boxes separately. Avoid changing both the page options and a pop-up in one go.

Below you can see the general setup screen accessible by going to Advanced Setup | VPN and Remote Access Setup | VPN IKE/IPsec General Setup. Here you can configure the PSK and deselect the Medium (AH) and DES options.

219

Chapter 9

In the Common Settings section, you configure the name of the connection. Do not forget to select

Enable this profile here.

The Call Direction section contains what is probably the weirdest Vigor issue, especially because Openswan has no such concept: the Vigor allows you to set a call direction. Dial-out means initiating, and Dial-in means responding to an IPsec IKE request. The problem starts when you want to have a 24/7 VPN tunnel. You can select Always on, but this really is a misleading name. It will just change the settings to Dial-out and dial immediately. In other words, if you set two Vigors to Always on, the IPsec connection will fail because neither end will allow Dial-in (responding). If you configure one end to Dial-in or Both it will work, but the Dial-in side will not be able to trigger the IPsec tunnel after a time out. And if you select the Enable PING to keep alive option, it again will change your call direction to Dial-out. So make sure you only select this ping option on the side that is set to Dial-out.

However, when a connection is Dial-out on the Vigor, you can still use ipsec auto –up to establish an IPsec SA, but it will not carry any traffic since the Vigor will attempt to delete it immediately. You will see confusing Delete Notify messages because the Vigor seems to set up its IPsec SA without confirming this to Openswan and it will then send a Delete Notify that Openswan cannot match.

221