Figured I'd best post this while it was still very fresh in my head for anyone else who finds themselves trying to get this to work.


Setup:
- Draytek 2860Vn+ on static IP
- RUT950 with two sims on the Three (3) network* installed

*Three (at time of writing) does not use NAT or similar but gives the connection a dynamic but public IP on the internet making IPSEC possible

Goal:
To setup an IPSec tunnel between the two routers.


Key Points:
The RUT 950 does not seem to differentiate between whether the IPSec settings are for a client or a server and if you have the documentation you quickly realise it's a copy paste from the PPTP section so it's naff all use.

This setup/solution assumes that the RUT-950 is the client and dialling in to the Draytek.


Settings:

Now first a disclaimer, I've had to learn all of this information the hard way over the past few months so if I get something wrong, please be nice, provide a few clues about what I got wrong, how and what the correction should be (and why). I learn, such is life...

Ok first things first, the absolute critical setting of all time (and the one that's kicked me for 4 ****ing days) is to make sure you set the Operation Mode correctly on the RUT-950.

Network > WAN > Operation Mode
Make sure it it is set to "Mobile".

If you do not do this you will find that IPSec will not connect, LLTP and PPTP will connect but not route properly and you will spend days trying to work out why... Well, you will if you were me in a time machine and kicking yourself!

Next up, setup your IPSec configuration:

Services > VPN > IPsec
- Enable: [tick]
- Mode: Aggressive
- Enable NAT traversal: [tick]
- Enable initial contact [tick]
- My identifier type: User FQDN
- My identifier: foo@bar.com
- Pre shared key: [your key]
- Remote VPN endpoint: [domain or public IP for the 2860 connection]
- Enable DPD: [tick]
- Delay: [enter seconds for DPD check interval]

Phase 1
- Encryption algorithm: AES128
- Hash algorithm: SHA1
- DH group: MODP768
- Lifetime: 28800

Phase 2
- Encryption algorithm: AES128
- PFS Group: MODP768
- Authentication: HMAC_SHA1
- Lifetime: 3600

Remote Network Secure Group
- IP Address: [Your remote network eg: 192.168.0.0]
- Subnet mast: [eg: 24]

etc...


Now the reason I copied that lot in is because the Draytek does not specify any support for the DH Group or the PFS group settings but it does actually handle them anyway.

If your setup requires that the draytek is the one dialling out and the RUT 950 is dialling in you need to know that the DH and PFS groups are indicated by the _G1 affix on the IKE phase 1 proposal setting.

G1 for MODP768
G2 for MODP1024
G5 for MODP1536

Aggressive mode for the 2860 does not support G5/MODP1536 so don't use it for the RUT 950 settings.

The preceding post is more a brain dump for my own reference if I should ever be dumb enough to want to "fix" the routing I currently had setup. I figure some of the nuggets above may well be useful for other n00bs to VPN such as myself.

The kicker was the WAN misconfiguration so watch out for dumb PEBCAK issues like mine to save your sanity... Hope it's useful..

Small nugget...

The setup above only works on firmware version RUT9XX_R_00.01.497

As is ever the case on "updates" Teltonika broke the VPN configuration for IPSec with the latest current version ( RUT9XX_R_00.01.878 ) by removing the fields for identifier information and "enable initial contact".

I suspect it has something to do with the inclusion of new algorithms but either way we were forced to restore old settings and firmware..