I'm configuring two 2860s with a LAN-LAN VPN as per Draytek's config guide here:

https://www.draytek.co.uk/support/guides/kb-lantolan-ipsec

This works fine if I use aggressive mode.
However, under the main mode, it states:

"Main mode: This uses the Pre-shared key and the IP Addresses of each side to authenticate the VPN connection, this requires a fixed IP on both sides of the VPN connection unless a global PSK is used or the dial-in end has a DDNS account. Using a global PSK or DDNS account for VPN is not covered in this article."

I am using dynamic IPs (Virgin Media at each end)

How does one go about setting up Main Mode using DDNS?

I've got registered DDNS records for each side.

On the Dial-In side, for Specify Remote VPN Gateway I can't enter a DDNS record, it complains and only wants an IP.

I'm sure there is a simple way around this.
Anyone have any idea's on how to achieve Main with DDNS?

Reason I wish to use main is to take advantage of the stronger AES rather than 3DES encryption.

Thanks for reading.

-=zdz=-

You're right, it's not actually possible to use DDNS in the remote VPN IP field so it looks like the guide is wrong? I guess someone should tell them that.

You can use aggressive mode and that will work - you can use AES-256 with aggressive mode as well, that's all set on the Dial Out side under the Advanced IPSec settings - to have the AES options available, select AES with authentication from the drop down above the advanced button first, otherwise they won't show up.

You're quite right. Thank you.

I was following the Draytek guide precisely, which configures for 3DES encryption. I find if I don't follow the guides exactly, things tend to explode.

I went back and upped everything to AES256 and all good.

Would I be correct in thinking that AES256-SHA1 is more secure than AES256-MD5? I'm using SHA1 currently...

-=zdz=-