DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Remote Dial-In VPN

  • senecav
  • Topic Author
  • Offline
  • New Member
  • New Member
More
19 Jul 2022 18:39 #101439 by senecav
Remote Dial-In VPN was created by senecav
I have a Vigor 2927ac Router which I have configured via a WAN connection (WAN1) behind a "BT Smart Hub 2" on Ultra-Fast Fibre broadband which it is using as a pass through modem and the setup is working perfectly giving me a minimum 750MB throughput.

I have also got a number of "LAN-To-LAN" VPN connections to various other Draytek Routers (Vigor 2820's-2860's) and all connect correctly and quickly using AES encryption however, I have a need to setup a few "Remote Dial-In VPN" connections, preferably using AES encryption, from 4 individual user PC's running Windows 10 on which I have installed the Draytek Smart Client.

I have setup the Smart Hub 2 with ALL features disabled and set a static address in the 192.168.254.X/27 on both the "Smart Hub 2" ethernet and set it to forward ALL IP traffic to the Vigor 2927ac WAN1 port (again with a static IP address in the 192.168.254.X/27 range).

With it setup this way as I stated the "LAN-To-LAN" VPN connectivity works perfectly however, "Remote Dial-In" will not connect at all, all I get is a "Failed to Connect" message in the SmartVPN Client.

I can get it to work "after a fashion" using SSL however this is not secure enough for my purposes.

I believe the problem lies at the Smart Hub 2/Vigor 2927ac end of the chain but cannot figure out what, I think I may not be forwarding some required protocol to the Vigor, UDP traffic springs to mind on specific ports maybe, but am not sure.

Can anyone shed some light on what I may be missing to get the "remote dial-in" to work?

Please Log in or Create an account to join the conversation.

More
20 Jul 2022 03:00 #101440 by hornbyp
Replied by hornbyp on topic Re: Remote Dial-In VPN
If the BT Smart Hub 2 is truly in "Pass through" aka Bridge or Modem mode, then it is should not be doing any work at the IP level, regarding traffic forwarding. In fact, it only needs an IP address, so that it can be 'managed' (separate cans of worm there! ... it should probably be on a different IP network to the 2927's LAN (since it is connected to the 2927's WAN)).

First, consider that this problem might be the outbound firewalling at the VPN client.

Second: SmartVPN works in different ways, depending on the VPN protocol in use. It does the hard work for SSL; for the others, I believe it is really just an interface to the underlying Windows DUN. Digging around, you should find a "To Vigor" RAS entry, which you can manipulate directly. You can also try 'dialling' it directly too - which might give you can actual error message...(the olde-world RASPHONE and RASDIAL commands from Windows 95 still exist and can be useful). Also check the client's Eventvwr records and the SYSLOG output from the 2927.

Which 'type' of VPN have you selected in SmartVPN, since "AES" isn't actually an option?

Please Log in or Create an account to join the conversation.

More
23 Jul 2022 11:51 #101459 by desquinn
Replied by desquinn on topic Re: Remote Dial-In VPN
VPN gets you the sounds like you are using the smart hub with dmz as from memory with it is in modem mode thats all the config you have apart from its ip address. If the bt hub is routing then you need port forwards which I would avoid. If syslog or vpn client is saying password issues then check the password and username lengths as well as them being accurate.

can you ping the external ip of the draytek from the clients?

Edit: missed that you had SSL working but wonder what your issue with security comparison from SSL to I am presuming Ipsec. We tend to use SSL for our remote workers but have dabbled with openvpn. Draytek to recommend ssl or ipsec for teleworkers. Wondering what your issue with the comparable security between the two is froma curiosity point of view. We use radius as well to help with the user creds side of things.

But protocol shoudl not work but check the passowrds like I said above as the protocols have different requirements that the gui has got better at displaying but not always.

Des Quinn

Please Log in or Create an account to join the conversation.

Moderators: Sami