I'm trying to set up IPSec (not L2TP over IPSec) VPNs using a Vigor 2820n.

• All users will be connecting (dialling in) to the Vigor (which is on a static IP).


• Connections will be from Windows and OS X 10.8 machines running 3rd party full IPSec clients.


• They will be connecting from locations with dynamic IP addresses, so I intend to use the Vigor 'Peer ID' setting (with a matching local FQDN value on the VPN client) to associate the client with a dial-in user account.


• The pre-shared key will be the one defined for the dial-in user account, not the generic key under the Vigor's general IPSec settings.

In terms of VPN clients, the users are currently running IPSecuritas on the OS X platform and Shrewsoft VPN Client on the Windows platform.

If I specify a generic pre-shared key on the Vigor's General IPSec configuration page, then all users can create a VPN and work remotely.

If I change the client - to use the pre-shared key defined for a dial-in user account and define a local FQDN value to match the Peer ID defined on the Vigor (no other changes) - then the VPN fails to establish. I can only test this on the OS X platform (no access to a Windows box) but the IPSecuritas client says that it times out waiting for a Phase 1 response.
(Interestingly, the first time I tried this it did work. I then changed the local FQDN value in the client to confirm it was going to the right dial-in account, and the VPN then failed as expected. But when I changed the FQDN value back again, the VPN still failed to establish!)

I believe that this should work (e.g. the VPNtracker config document for Drayteks describes exactly what I'm trying to do - but the product is barking expensive for testing!) but I can't tell whether this is an additional configuration setting I should be including, whether it is an issue with the IPSecuritas client, or whether it is an issue with the Vigor.

Has anyone else done anything similar or encountered similar problems?
Thanks.