@nealuk:

Mine is, obviously, different. However, I found the gateway doesn't have a setting other than 8 hours and the tunnel has both settings. I had already set expiration to nothing as shown here:



I appreciate your help. Any other thoughts?

I am struggling for ideas. But what about setting the Phase 2 proposal Force key expiration to 8 hours - and then you know that is matches the Draytek Vigor?

Can you look over again the WatchGuard Phase 1 details? Are there any time or byte limits there?

You mentioned that you'd used the Draytek's Syslog for additional helpful information. Is there something similar on the WatchGuard XTM5 which might give us some clues?

Sometimes, when I can't get things to work, I swich to a different security protocol. You could try 3DES ? MD5_G2 has given me good interoperability between different manufacturers equipment.

Here is a screenshot of the Gateway setup:



See anything else that I could change?

Here are some pics of my Vigor L2L config:

Thanks for taking the time on the screen shots - very helpful.

I think

Perfect Forward Secret should be "Disable" because it should only be Enabled if you have some data in the field Local ID.

Vigor Section 3. Dial In - untick Medium AH

Also, I have loooked at six of my VPN's and on each of them I leave My WAN IP as 0.0.0.0 - since you have set Dial Out Through WAN1 First, then if the Vigor uses WAN2 this will have an IP address which is not the same. So I think it is safest to put My WAN IP back to 0.0.0.0

OK, I will make these changes later today when that office closes. I've turned up the logging level of the WG XTM5 for the VPN section to hopefully catch some good data in more detail. Thanks for your help nealuk.