Hi
Draytek 2920 f/w 3.6.1 (fixes the >9 vpn profiles issue...)

We are trying to set up 2 outbound ipsec vpns (site to site)
1 (already stable) to a Juniper device.
2 (proposed) to draytek 2830n

The issue seems to be that the 2nd vpn never connects - the first is fine.
If we set it up so there is 1 inbound and one outbound, all is fine.
I understand that there may be an issue if you are trying to support >1 ipsec vpn when behind a nat device, but we are not (unless our internet provider is telling porkies).
So: is there any fundamental issues with having >1 outbound ipsec vpn on drayteks?
Thank you.

No, there should support many VPNs.
I have a site with a 2930VN running 2 x IPSec GRE Trunks (so 4 tunnels joined in to 2) plus 4 others normal IPSec Tunnels and then a random about of remote dial in VPNs.
What firmware is the 2920 on, have you checked the syslogs at each end of the 2nd tunnel etc?
Are the subnets different at each remote site?

Thanks for the reply.
FW 3.6.1
Different subnets.

These two routers work fine if i reverse the set up (i.e. the source becomes the target)
Connection setup to use peerID, only use IPSEC security High ESP -des,3des,aes, aggressive mode

It basically mimcs the "working" outbound config (with different PeerID and different target router).

Snapshot of source/target router syslogs (from syslog explorer).


Source Router
2012-10-17 12:59:04 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:59:04 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:59:04 Dialing Node11 (KBBSTOCB1) :
2012-10-17 12:59:03 DOUBLE free for 81b6eb64: 7a99 from this.id.name
2012-10-17 12:58:51 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:58:51 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:58:51 Dialing Node11 (KBBSTOCB1) :
2012-10-17 12:58:44 DOUBLE free for 81b6f2f0: 7a99 from this.id.name
2012-10-17 12:58:32 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
2012-10-17 12:58:32 Initiating IKE Aggressive Mode to target.ip.address.here
2012-10-17 12:58:32 Dialing Node11 (KBBSTOCB1) :

Target Router
2012-10-17 12:59:17 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:11 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:08 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:59:04 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:58 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:55 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:46 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:40 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:37 Responding to Aggressive Mode from Some.ip.address.here
2012-10-17 12:58:30 Responding to Aggressive Mode from Some.ip.address.here

just out of interest do they work with static IP End points (ipsek with PSK) instead of 509x peer IDs?

Thanks for the reply.
I have not tried it with static end points as my "test" set up uses dynamic IPs (consumer bb)
However, things get a bit odd...

I am now using 2 drayteks
2800 series f/w 2.8.2 - as dial in
Vigor2830n f/w 3.3.7.1_sb_211801 - as dial out

The 2830n already has an ipsec dial out vpn that is working ok to another target - using a peer (local) ID.

I added a second dial out ipsec VPN (the 2830n to a 2800 series) and gradually mimic the security options ,Medium > High, 3des with authentication etc. With the "basic" settings the VPN establishes, no problem.

What I appear to have found is that one or other of the drayteks seems a bis sniffy about the peer id - if I use something@now.com (e.g.) - I see the double free errors in the calling draytek and no vpn gets established.
I have used an ip address as the peer id - worked - changed the ip address (both ends) - vpn never re-establishes.
The most "reliable" form of peer id is this.some.com (literally - this peer id always seems to reconnect after a while).

If only i knew what i was doing.

C