I have a 2865 configured with IPsec/IKE VPN connected via a BT FTTC connection.  Just upgraded to Virgin Media fibre, I've kicked the Virgin Media supplied hub into modem mode, after a couple of reboots that appears to be working fine.  The DrayTek is getting an external IP and traffic is flowing in both directions.  At the same time I've upgraded the firmware of the 2865 to 4.4.5.3_BT, in hindsight I should have tested the VPN before I did that.  Anyway....the issue is now the VPN doesn't work.  I can see it trying to connect in the SYSLOG but it doesn't complete.  On the Smart VPN Client I just get an error "Unknown Error" which isn't very helpful.  DrayDDNS is working fine and I've successfully renewed the LetsEncrypt certificate so I am confident that everything on that side is working.

So the question is, does anyone have a similar setup, either IPsec/IKE or SSL VPN, working OK?  I am trying to decide if the new firmware is to blame or there is something funky with the Virgin media implementation.

Any feedback gratefully received.

P.S. If anyone wants to see the log just shout and I'll post it.  I have also reached out to support so we'll see what they come back with.

Hi ctluk,

I have many sites running on Virgin Media modems, some business plans and others domestic plans and even both at certain locations.

We have 2862, 2866, 2927, 2962s across these locations and all are running the latest firmware, either official or release candidates.

The 2866 is running 4.4.5.3_rc2 with a Virgin modem with an IPsec IKE LAN to LAN tunnel, in fact all sites have this protocol running. Dial-in user works with IPsec on iPhones and SSL on Windows machines.

Modem mode is the easiest to set up, but it can be done via the modem in “router” mode as well, you just need to enable DMZ and set the IP to the Vigor Router which will allow direct pass-through. You’ll get a 192.168.0.* address shown in the Vigor dashboard for the WAN IP, but if you know the public IP assigned to the Virgin Modem (what is my ip) you can dial straight through to the Vigor using that public IP.

SSL is the easiest method on a Windows machine when dialling in using the Smart VPN Client, any other method is less secure and the IPsec is a PITA to get running with the Smart client, in fact, I have tried so many times and never succeeded, so revert to SSL which I know works well.

Thanks for the response. I've since switched to SSL which is working.

 
This is timely. Apologies for stealing the thread but it's so close to my issue I thought it better to ask here. I've been struggling with getting VPN working on a 5x static IP Virgin Business router and a Vigor2927 for a while now.

Trying to get Dial in IKEIPsec or L2TP with IPSec to work but have had no luck at all.

I'm new to Draytek and Virgin routers so working out whether it's a Virgin or Draytek problem has been a problem.

So...
assume
Virgin router has not been touched since we got it so set up for 5 static ips by Virgin
Draytek IP is xxx.xxx.xxx.186
Virgin IP/gateway is xxx.xxx.xxx.185


Virgin Router > BASIC > DMZ, add xxx.xxx.xxx.186?

On Draytek I have

• VPN and Remote Access >> Remote Access Control
  • Enable IPSec VPN Service
  • Enable L2TP VPN Service
• VPN and Remote Access >> IPsec General Setup
  • I've put in a Pre-Shared Key (here or can I give dialin users different ones)?
  • Setup a remote Dialin user
  • IPSec Security Method = Basic
• VPN and Remote Access >> Remote Dial-in User
  • Enable this account ticked
  • IPSecTunnel IKEv1/V2 IKEc2 EAP ticked
  • L2TP with IPSec policy [Must]
  • Added username and password.
  • IKE Auth Method is greyed out so can't add pre-shared key here (Have I done something wrong?)
• NAT >> Port Redirection
  • UPD500 WAN=ALL, protocol=UDP PubPort=500 SrcI=Any, PrivateIP=xxx.xxx.xxx.186
  • UPD4500 WAN=ALL, protocol=UDP PubPort=4500 SrcI=Any, PrivateIP=xxx.xxx.xxx.186

Anything I'm missing / got wrong?

Ideally, I want something that'll work with a bog standard Windows VPN client but if that cause more pain, then any other suggestions?
 

First step (apologies if you've already done it) but enable the Web sys log, clear out the logs and then try a VPN connection, that will help identify if the VPN connection request is getting to the DrayTek