DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

3300V+ Multiple IPSec LAN to LAN Connections

  • jonbennell
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
16 Mar 2011 01:24 #66824 by jonbennell
Hi,

After going a little insane over the last few weeks, I've finally got to the bottom of the situation that I'm about to describe. First of all, here's my setup:

Head Office
Draytek 3300V+
Firmware: 2.6.3 (EN)
10.0.10.0/24

Remote Worker 1
Draytek 2800
10.0.0.0/24

Remote Worker 2
Draytek 2820
172.30.2.0/24

Both remote workers have IPsec LAN to LAN profile setup within their respective Draytek routers, both dialing in to the Head Office Draytek 3300V+. Both connections work perfectly fine if the other policy profile is disabled within the 3300V+. However, if I have both policy profiles enabled and want both remote workers connected at the same time, which ever connection dials last, fails with the following errors with the log file:

Code:
14 01:16:54 03/16 probable authentication failure (mismatch of preshared secrets?): malformed payload in packet 15 01:16:54 03/16 next payload type of ISAKMP Identification Payload has an unknown value: 175 16 01:16:54 03/16 receive ISAKMP packet: src:{82.69.213.158}, dst:{86.188.176.114}, MsgID:{0x00000000}, Ci:{2E 6A 09 D9 41 76 11 5F}, Cr:{BA 32 43 B6 7F 74 7C 9F}


Line 15 which give unknown values seem to vary randomly.

Can anybody give me a clue as to what I'm doing wrong?

Kind regards,

Jon Bennell

Please Log in or Create an account to join the conversation.

  • jonbennell
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
17 Mar 2011 14:10 #66845 by jonbennell
Replied by jonbennell on topic Re: 3300V+ Multiple IPSec LAN to LAN Connections
I had an answer from Draytrek yesterday afternoon. Basically you must use the same IPSec preshared key for any dynamic clients (those with dynamic IP addresses). This wasn't stated in any documentation I could find but I feel a lot less stupid now.

Thank you to Adam at Draytek for giving me this answer. I hope now to find out what 40 characters are permitted within the preshared key within the 3300V+.

Please Log in or Create an account to join the conversation.

More
17 Mar 2011 22:37 #66855 by voodle
I'd use aggressive mode if both are connecting with dynamic IPs, that will let you set a pre-shared key for each LAN to LAN connection.

Please Log in or Create an account to join the conversation.

  • jonbennell
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
21 Mar 2011 16:32 #66900 by jonbennell
Replied by jonbennell on topic Re: 3300V+ Multiple IPSec LAN to LAN Connections

Voodle wrote: I'd use aggressive mode if both are connecting with dynamic IPs, that will let you set a pre-shared key for each LAN to LAN connection.



Thank you Voodle, I'll bear that in mind with any future links.

Kind regards,

Jon Bennell

Please Log in or Create an account to join the conversation.

Moderators: Sami