I have had an IPSec VPN running reliably between a Vigor 2860 and a Vigor 2865 for some time. The 2860 dials out, and the 2865 is configured for dial in. However, slight complication, the remote Vigor 2860 has two WAN connections: a very slow VDSL line, and a faster but unreliable LTE connection. So, I disabled the 'old'  VPN connection, and setup two new LAN-2-LAN profiles with GRE / IPSec, setup in load balance mode, as per this guide:  https://www.draytek.com/support/knowledge-base/4919 . 

The idea is that the Vigor 2860 will dial two VPN connections, 1 through VDSL and the other through LTE which will both connect to the 2865 through a single WAN connection. I can then setup routing policy rules to send some traffic via VDSL and some via LTE at the remote site. This did work when initially setup, however after running fine for a bit, these VPN's seem to get into the following state:

- ONE of the two VPN connections comes up successfully. BUT, it drops & re-connects every 20-60 ish seconds. 
- The other one of the two connections refuses to come online. 

In this state, the Web Syslog shows the following messages on the Dial-Out end (Vigor 2860):


And on the Dial-In end (Vigor 2865):

I know the timestamps don't quite match there, this is just because the web syslog on the Dial-In router had overwritten the entries by the time I copied the logs. 

I have had success rebooting one or both ends of the tunnel, which sorts the problem out for a time, but then the same thing occurs. 

Apologies if that is not quite clear, can provide any more details if required. Would really appreciate any suggestions. 

Should also mention: If I disable the trunk and 2nd VPN tunnel on the Dial-Out router, the remaining tunnel is stable, rather than dropping frequently.

Hi m_d ,

I have walked exactly the line you have just described, and encountered identical results, to the point where I too reverted back to a single connection, albeit with a trunked failover setting, for redundancy.

Maybe I should give this another go, which for me, was the goal of getting more bandwidth between two sites.

Eventually, I did need to route my traffic as you did, with one DrayTek router having only one WAN connection and the other having two WAN connections. But instead of "bonding" them together, I simply created two separate Lan-2-Lan profiles at both sites and an additional VLAN subnet at the remote site which I used as my "joining" LAN for my second L2L profile, I was then able to route that traffic to whichever WAN I required at the remote site. 

So you can use two VPN (WAN) connections but keep them separated from end-point to end-point.

Good to know it's not only me with this issue... Perhaps we should notify Draytek somehow? Is there a way of doing this without opening a whole support case?

I did wonder about creating 2 completely separate VPN profiles to different networks on each side, but have not had time to try it.

Did you use a standard L2L profile for your two separate tunnels, or did you keep the GRE over IPSec settings in place? I do have multiple subnets / VLANs on both sides, so are you saying that as long as each tunnel goes between different networks, I can still route traffic through whichever VPN I want? Are you using the 'More remote subnet' option at all?

I think I have some experimenting to do!

 

Did you use a standard L2L profile for your two separate tunnels,

Yes.

or did you keep the GRE over IPSec settings in place?

No, didn't need to.


I just setup another IPsec XAuth standard L2L profile.

In the 'TCP/IP Network Settings' section I set the 'Local Network IP' to a different VLAN subnet (which happened to be the one hosting the devices I wanted to route, but it doesn't have to be for them to be routed through it) from the main LAN (which I used in the first L2L VPN Profile already established).
In the 'Remote Network IP' I entered the new VLAN subnet created at the remote site. In this instance I didn't need to created additional 'More remote subnets', as this would only be necessary if I wanted to access more/additional VLAN subnets at the remote site (or further on - if connecting to that remote router established a route to more VPN connections of other external sites and therefore their subnets).

To limit the size of the newly created VLAN subnet at the remote site, as it was purely for routing traffic out to the WAN connection(s), I made the subnet /30, but it can be any size you want.

At the remote site I created a matching L2L VPN profile but with the relevant Local/Remote IP settings.


...and then of course, I created route policies for the traffic I wanted to route via the new VPN path, at both ends; at the local end to force route through this VPN profile index number and at the remote end to force route through that WAN connection!