Expired

V. VPN (Virtual Private Networking)

Expired

LAN-to-LAN VPN Troubleshooting

Products:
Vigor 2135ax
Vigor 2620Ln
Vigor 2760
Vigor 2762
Show all

Keywords:
IPsec
LAN to LAN
PPTP
Troubleshooting
Show all

The following is a list of the most common configuration mistakes made in setting up a Vigor-to-Vigor VPN connection, as well as some general advice for VPN configuration.

Please note that the General tab applies to all VPN types, it is recommended to check the possible causes in that list first if troubleshooting any type of LAN-to-LAN VPN connection.


General

  1. On LAN-to-LAN VPNs, for your own ease of use, but also when requesting help/support from your dealer you should keep an accurate plan of your setup. Most common problems are due to confusion over the VPN layout, so keeping your notes/planning clear and up to date is essential. We recommend a table, as shown in this example :
     LondonLiverpool
    Device Vigor2830 Vigor2860
    LAN Address 192.168.1.0 10.1.1.0
    LAN Subnet Mask 255.255.255.0 255.255.255.0
    Router's Address 192.168.1.1 10.1.1.1
    Router Admin Password shilton keegan
    Public IP Address 213.120.81.12 194.153.12.17
    VPN Profile Name Liverpool London
    Call Direction Incoming Outgoing
    Outgoing Username n/a scouser
    Outgoing Password n/a tyne44
    Protocols PPTP only PPTP only
    Pre-Shared Key n/a (IPSec only)
  2. If you want a VPN tunnel to be permanently active, rather than dial-on demand, select Always On in the VPN profile of the dial-out router. At the other (receiving) end, select '0' as the inactivity timeout (indefinite). If the connection is interrupted, the calling end will retry until reconnected. Otherwise, by default, VPN tunnels have a 300 second (5 minute) inactivity timeout, which allows the router to drop the VPN if it's inactive - it will re-establish automatically if a client on either side needs to pass traffic to the remote network but this does have a slight delay.

    'Always On' set on the calling router.
    'Always On' set on the Dial-Out router.

    Indefinite (zero) timeout set at the other end.
    Indefinite (zero) timeout set at the other end.

  3. Don't set up lots of VPN profiles on the router to start with. Set up a single profile, for one remote LAN/teleworker VPN and check that it works as expected.

  4. PPTP is simpler to set up as a protocol than IPSec. If you are troubleshooting, we therefore recommend you start with PPTP and confirm that the basic connection and settings work. You can then switch to IPSec or other protocols later, once the basic concepts and connection have been tested.

  5. Make sure that the VPN services being used are enabled on both routers, this is set from the [VPN and Remote Access] - [Remote Access Control] page, this requires a restart to apply the change.

  6. Do not confuse the term 'subnet' with the term 'subnet mask'. A subnet is any subset of a universal network - a subnet can include one IP address, or millions of IP addresses. A subnet mask is a parameter used in combination with an IP address to inform the clients/servers the size of the local subnet. This is best explained in detail elsewhere, but as a quick example, a subnet mask of 255.255.255.0 gives you a local subnet of 253 local addresses and that if a local IP address is 192.168.1.42, it is the final octet only (.42) which varies around the local network - the first three octets must be the same on all local clients, otherwise the IP address falls outside the local IP subnet range and is considered by the PC and router to be remote.

  7. Ensure that the networks on each side of the VPN are in different subnets. i.e. if both LANs are numbered 192.168.1.X then they cannot route to each other because they are within the same logical subnet.

  8. On the dial-out side of the VPN connection, make sure that the server IP / host name that it's dialing to is correct, check for spaces.

  9. Check that the routers can ping each others WAN IP, the exception to this would be if one router is located behind a NATted address, in which case that should be the dial-out router and it should use PPTP or IPsec with Aggressive mode configured.
    The routers will block pings from the WAN interface by default, this is changed from the [System Maintenance] - [Management], by unticking Disable PING from the Internet and applying that. Ping diagnostics can be performed from the [Diagnostics] - [Ping Diagnosis] page.

  10. On routers that support the Policy Route feature, if the VPN is up but not passing traffic, check the Policy Routing Guide for details on how to fix this.

  11. Check the Route / NAT setting, this should be set to Route generally. The NAT setting is used with dial-out VPN connections, where the router would apply NAT to the VPN connection, which would give that network access to the remote network but no access in the other direction.
  12. In the LAN-to-LAN profile, enter 0.0.0.0 for the My WAN IP and Remote Gateway IP settings. The Vigors are able to determine their VPN WAN and remote VPN gateway IP addresses automatically from the remote Vigor, therefore you should not normally enter an IP address. Here is the example from the setup guide :
    IP Address
  13. If the VPN is connecting but drops out very frequently, check whether Ping to keep alive is enabled on the Dial-Out side, if the target address does not respond, the router will drop the VPN roughly every minute, its purpose is to drop and re-establish the VPN if the ping target does not respond.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1