DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

DrayTek 2860 VPN Server Behind a Second Router

  • evoelise
  • Topic Author
  • Offline
  • New Member
  • New Member
More
15 Sep 2021 13:11 #99838 by evoelise
I am attempting to get VPN (with L2TP over IPsec) working using my DrayTek 2860 router to provide remote desktop access to some PCs following the instructions here: https://www.draytek.com/support/knowledge-base/5390#drayos
However I have my DrayTek router behind another router with a firewall in a separate subnet. Like this:

Remote Access PCs <--> Internet <--> ISP Router <-- 192.168.2.x subnet --> DrayTek 2860 router <-- 192.168.1.x subnet --> PCs to provide VPN remote access to.

I believe I have set up the routes and the VPN client on the remote access PCs correctly as per the instructions.

However it is not working (error the network connection between your server and the VPN server could not be established) and I believe this is because I need to pass through the VPN connections throung the first router/firewall to the VPN server on teh DrayTek routes.

What ports and protocols do I need to passthough to the DrayTek router to get VPN working?

Please Log in or Create an account to join the conversation.

More
16 Sep 2021 01:39 #99841 by hornbyp

evoelise wrote:
What ports and protocols do I need to passthough to the DrayTek router to get VPN working?



These are the instructions for setting up the Internet-facing router - if that router were a Draytek: https://www.draytek.com/support/knowledge-base/5288
What you require are the equivalent instructions for your ISP-supplied Router! (See ISP :) )

Unless your internet connection is > ~220Mbps, why wouldn't you just ditch the ISP-supplied Router :?:

Please Log in or Create an account to join the conversation.

  • evoelise
  • Topic Author
  • Offline
  • New Member
  • New Member
More
16 Sep 2021 16:35 #99851 by evoelise
Thanks - looks like I have set up with those exact settings. TCP 1723, UDP 1701, UDP 500 and UDP 4500 all forwarded to the DrayTek router.
I can see the packets being passed through in the logs on the first router. But it is not working. It seems to give two different errors at different times, one about the remote server not responding and one about the initial security negotiations failing.

I have tried connecting directly to the DrayTek router with the Windows 10 VPN client (on the 192.168.2.x subnet) and that does not work either. This gives an error about the L2TP failing due to security issues during initial negotiations.

I have double checked the user credentials and passphrase, they are all correct.

Unless your internet connection is > ~220Mbps, why wouldn't you just ditch the ISP-supplied Router.



The "main" network is behind the DrayTek router that is not directly exposed to the internet. It sits on a different subnet handled by the ISPs router that is exposed to the internet. On this "exposed" subnet I place devices that I don't want on my "main" network such as IOT devices and "guest" wifi for mobile phones and PCs.

Please Log in or Create an account to join the conversation.

More
18 Sep 2021 02:10 #99866 by hornbyp
The separation of IOT, Guest Wifi etc is possible using the VLAN functionality of the 2860, without needing an additional Router. Mine is configured to do that.

Having it directly connected to the Internet gets rid of the double-natting and makes VPN connectivity somewhat easier (I have an always on L2TP/IPsec VPN to a 2830n on another site). I appreciate that reconfiguring it this way, would be quite time-consuming...

I did a few experiments to see what the current state of play is, vis-a-vis VPN clients. ( For the LAN-to-LAN role, I had to ensure that the 2860 didn't use configurations that the 2830 doesn't support, - and I'm sure this applies to some extent, to all VPN clients that are more recent than the Vigor. Unfortunately, the Vigor provides much less configurability for Dial-in clients, than it does for Lan-to-Lan)

My Android 10 phone will not connect to my 2830. Syslog reveals the ISAKMP SA is established, but IPSec doesn't happen and therefore neither does the L2TP tunnel. The phone will connect to the 2860 successfully. (It will only do this using its cellular connection - attempts to 'hairpin' via the 2860's Wifi fail. This is not the case for an SSL VPN, but these are very slow.)

I tried tethering the phone to a laptop running Windows 10 (21H1) and created two VPN profiles (one for the 2830 and one for the 2860). Both worked without any dramas. (So at least you know, that what you are trying to do is still possible :) )

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami