I successfully set up a dial-out SSL connection from my 2862 to a dial-in 2866.

I'm now trying to replicate that from my 2862 to a 2860 router.

The two routers do not have exactly the same setup pages but I think I have followed the original setting carefully - obviously using a different user name.

It is failing to connect.  Looking at the Syslog Explorer the error I see is 

SSLTunnel (VPN-2, DAtoZS) <== Protocol:CHAP(c223) Failure Identifier:0x01 E=691 R=1 C=91459A7187858891B585BEF9ABF59CE9 V=0 M=Good luck! ##
CHAP Login Failed (VPN : L2L Dial-out, Profile index = 2, Name = DAtoZS, ifno = 12)
[SSL TUNNEL][L2L][2:DAtoZS][@xx.xx.143.232] CHAP failure: username/password error

I am certain the user/password settings are the same on both.  I have even tried to change both users/passwords to simply AAAA/123456 with the same result.

Are the two routers compatible?

Hi

In the routers system maintenance, under management what does it say in the TLS/SSL Encryption Setup section.  Are the same versions of ssl selected?

Regards

Andrew

Both ends have TLS 1.0/1.1/1.2 ticked.
I have set up a VPN using IPsec Tunnel IKEv2 but would prefer to get SSL working.

Hi Leslie,

How comes you’re opting for SSL over IPSec?

IPSec is more secure and faster, and also DrayTek’s recommended method between their routers (@AES256):

https://www.draytek.com/solutions/working-from-home-vpn-solutions/

But obviously other factors may apply to your circumstance; just mentioning.

I bow to your superior knowledge.
Some time back I also had issues setting up and was advised to use SSL.

I'm happy to leave it as is.

One thing that surprises me about IPSec is that there seems to be only a single shared-secret at the incoming end.

So if there are several different sites setting up VPNs to the incoming server they all use the same secret.

Have I misunderstood it?

Hi Leslie. Sorry, long time to wait for a reply I know.

Yes, using one PSK for authentication to an IPsec service which gives access to potentially all of a site’s LANs is somewhat concerning, especially when ‘Dynamic Clients’ are involved, even so, there are ways to mitigate most risks that first spring to mind.

Most areas of the network can be locked down, but hopefully you wouldn’t be passing out your PSK to people openly, and you can always change that PSK if you really have to, also, I would imagine that you would be the admin setting up the remote site that would be requiring that PSK info anyway, but I appreciate there are always hundreds of different scenarios…

Regardless of the implications of using IPsec IKE alone, instead, you can use IPsec XAuth “Extended Authentication”, as that has both a PSK and Username & Password credentials applied to the VPN LAN2LAN Profile.

The DrayTek routers have two PSKs for IPsec, one for “General” (IKE) and one for XAuth. When setting up a Dial-out VPN L2L Profile for example, you’ll see the username and password fields appear when the XAuth tick box is enabled, otherwise it will be greyed out or simply disappear from view.

With this method, you can easily revoke a particular site’s access without needing to change the general PSK and the added pain of rolling out that new PSK to all locations.