I am trying to set up my Vigor2920 with ExpressVPN and not having much luck. I have set it up as per the guide on the DraytTek website and have had a couple of connections that seemed to work, I once managed to get as far as doing a "Where does my IP address show that I am" check on some website, but then tried a speed test and it fell over and now wont re-connect. I have looked at the syslog and get this:

"2021-02-10 11:34:41", "PPP Drop VPN : L2L Dial-out, Profile index = 1, Name = ExpressVPN, ifno = 10"
"2021-02-10 11:34:37", "sent QI2, IPsec SA established with 85.203.46.46. In/Out Index: 0/-1"
"2021-02-10 11:34:37", "IPsec SA #316 will be replaced after 2963 seconds"
"2021-02-10 11:34:37", "Client L2L remote network setting is 0.0.0.0/0"
"2021-02-10 11:34:37", "Start IKE Quick Mode to 85.203.46.46"
"2021-02-10 11:34:37", "ISAKMP SA established with 85.203.46.46. In/Out Index: 0/-1"
"2021-02-10 11:34:37", "ISAKMP SA #315 will be replaced after 18000 seconds"
"2021-02-10 11:34:37", "NAT-Traversal: Using RFC 3947, no NAT detected"
"2021-02-10 11:34:37", "Initiating IKE Main Mode to 85.203.46.46"
"2021-02-10 11:34:33", "[L2L][DOWN][L2TP/IPSec][@1:ExpressVPN]"
"2021-02-10 11:34:33", "PPP Drop VPN : L2L Dial-out, Profile index = 1, Name = ExpressVPN, ifno = 10"
"2021-02-10 11:34:29", "sent QI2, IPsec SA established with 85.203.46.46. In/Out Index: 0/-1"
"2021-02-10 11:34:29", "IPsec SA #314 will be replaced after 2850 seconds"
"2021-02-10 11:34:29", "Client L2L remote network setting is 0.0.0.0/0"
"2021-02-10 11:34:29", "Start IKE Quick Mode to 85.203.46.46"
"2021-02-10 11:34:29", "ISAKMP SA established with 85.203.46.46. In/Out Index: 0/-1"
"2021-02-10 11:34:29", "ISAKMP SA #313 will be replaced after 20700 seconds"
"2021-02-10 11:34:29", "NAT-Traversal: Using RFC 3947, no NAT detected"
"2021-02-10 11:34:29", "Initiating IKE Main Mode to 85.203.46.46"
"2021-02-10 11:34:25", "[L2L][DOWN][L2TP/IPSec][@1:ExpressVPN]"
"2021-02-10 11:34:25", "PPP Drop VPN : L2L Dial-out, Profile index = 1, Name = ExpressVPN, ifno = 10"

I'm still very new to all this, so not a lot makes much sense to me of all of that. It just repeats round and round like it's trying to re-connect over and over again, but I can't make out what the actual failure is. Any suggestions would be greatly appreciated.

TheGoody wrote:
Any suggestions would be greatly appreciated.

I can't claim to be a VPN expert, don't have a 2920 and have never used ExpressVPN - but so far, I'm the best response you've had :lol:

Your VPN connection didn't get far at all - that Syslog represents the entirety of two failed attempts...

Have you found the ExpressVPN setup instructions for Draytek Routers, here: https://www.expressvpn.com/support/vpn-setup/draytek-drayos-l2tp/ :?:
(I found these by doing a Google site search - I couldn't spot them in the menu anywhere) They do say contact ExpressVPN support for 'immediate assistance'. (It appears to be a 'live chat').

Do you know the "Pre-shared key" ? ... that doesn't seem to be documented - (but may be per-user).

The main thing of interest in the Syslog, is the line: "Initiating IKE Main Mode to 85.203.46.46". For this to work, you either need a fixed IP address, or to use a "LOCAL ID". The "LOCAL ID" is yet another 'shared secret', that you would need to know...

It's entered on the [Advanced] option screen (there's a 'button', in the 'IPsec Security Method' section of the LAN to LAN Profile setup.)

Something more likely to work, is also found in that 'IKE advanced settings' section, namely "Aggressive mode" (this is where it will currently say "Main mode"). I would try that first

Another possibility, is that the 2920 is just too 'long-in-the-tooth'. It may not support the minimum key lengths and encryption protocols that ExpressVPN require.

Thanks for the suggestions, sadly though none of this worked though. I did speak to ExpressVPN and while they were fairly helpful there were a number of suggestions made that made me suspect that the tech support might not be quite as technical as I'd hoped. I never got so much as an acknowledgement to asking about the "Local ID" even though I asked two or three times. It's very strange, as I have had it connect a couple of times and been able to do a very limited amount of testing before it dropped out again. Seems odd that it is able to connect but can't sustain it.

I think you might be right in the 2920 being too old now, I'll have to put my hand in my pocket and get something newer! Has anyone had success with any specific combination of hardware and VPN service? I really like the 2920, it's definitely overkill for what I'm doing with it, I love the level of control and detail I can go to with it but I haven't seen many VPN services listing DrayTek devices as being compatible. Maybe it's not the right product for me?

TheGoody wrote:
It's very strange, as I have had it connect a couple of times and been able to do a very limited amount of testing before it dropped out again.

It's something of a Black Art

Many documentation sources are adamant that you cannot use "Main Mode" without a fixed IP address. This one says you can, if you use certificates. I can't find a reference for the "Local Id" approach, but it's out there somewhere :wink:

And yet...

The Android VPN client always uses "Main Mode". I have two entries stored in my Huawei (Android 10) phone. One attempts to connect to my Vigor 2830 and fails miserably - with very little information from either end of the link. The other connects successfully to my Vigor 2860 - which acknowledges the use of "Main Mode". How can that be :?:

This Draytek article (which admittedly, is talking about Lan-to-Lan VPN), says :-

Draytek wrote: Main Mode: This uses the Pre-shared key and the IP Addresses of each side to authenticate the VPN connection, this requires a fixed IP on both sides of the VPN connection unless a global PSK is used. Using a global PSK for VPN is not covered in this article.

What information have ExpressVPN given you, in order to connect. Obviously an IP address/DNS name and presumably a Username/Password combination.

Anything else at all :?:

I think the 2920 must be quite 'terse' in its VPN logging, compared with later units - reading through it again, it does say "IPsec SA established with 85.203.46.46" - but it stops there - no mention of "PPP", "L2TP", "CHAP" etc that you would think would follow. No error message either

I've had the same issues, and I actually went out and bought the 2865, ExpressVPN does still not work.
I've tried all the guides on how to configure.
It connects fine for me, shows as green, but no traffic goes out or comes back (not sure which). I'm no expert either, but I also bought NordVPN to try, and to be honest it worked first time. I ended up trying a few VPN services as they all offered a refund within xx number of days if I wasn't happy. Although trying to cancel without them begging you to stay is nigh on impossible and it takes up to 7 days to get your money back (always amazes me how it's like 5 seconds to take my money and 7 days to give it back)

Anyway, with all the time I've wasted trying to get ExpressVPN to work, I would seriously give in.

I wrote:
Do you know the "Pre-shared key" ? ... that doesn't seem to be documented - (but may be per-user).

If I'd read that guide properly, I would know that it's "12345678" :wink: - I think you must have already known and used that, for the connection to get as far as it did.

I also wrote:
The main thing of interest in the Syslog, is the line: "Initiating IKE Main Mode to 85.203.46.46". For this to work, you either need a fixed IP address, or to use a "LOCAL ID". The "LOCAL ID" is yet another 'shared secret', that you would need to know...

Doing a bit of reading, I deduce that Draytek VPN (Servers) implement "Main Mode" with a dynamic IP, by making everyone share the same "KEY". ExpressVPN appear to do the same (12345678). The Local ID (also known as Peer ID), seems to be just another 'shared secret' and seems intended to beef up 'Aggressive Mode', rather than 'Main Mode'.

I found a troubleshooting article by Microsoft which is quite enlightening.

Microsoft wrote: When you start the connection, an initial L2TP packet is sent to the server, requesting a connection. This packet causes the IPSec layer on your computer to negotiate with the VPN server to set up an IPSec protected session (a security association)

Looking at the Router logs, I've always been under the impression they happened the other way round: IKE -> IPSEC -> L2TP ... when it's actually the 'higher' levels making the 'lower' levels spring into action. You live and learn!

Going back to the log, it says "ISAKMP SA established with 85.203.46.46", so that's the Pre-shared Global Key ("12345678") stuff out of the way. This SA (Security Association) is then used to establish the IPsec connection: "IPsec SA established with 85.203.46.46" successfully. Then nothing...

It's as though the server at the far end is simply not responding. Have you tried any other ExpressVPN connection points :?:

@ Dazeck - did the 2865 give any more information in its VPN log :?: