Hi, I'm wondering if anyone can help. I'm trying to setup a VPN on a 2860n+ (FW versio 3.8.2.2_VT3) from a Windows 10 client. I followed the instructions here :-

http://www.draytek.com/index.php?option=com_k2&view=item&id=5847&Itemid=293&lang=en

On the local LAN (192.x.x.x) this works beautifully so I know the PSK key/user and password are fine.

However when attempting to connect on the external IP address 88.xx.xx.xx (the physical address as shown in WAN2 on the router) fails. I get the following error on the Windows 10 client :- "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

The 88.xx.xx.xx is the static IP provided by my ISP, I assumed it may be blocked, however (when enabled on the 2860) both PING and management both work.

Over to the 2860, looking at the system logs attempting the connection from the external IP address we see :-

2016-05-01 09:39:46 Matching General Setup key for dynamic ip client...
2016-05-01 09:39:46 Responding to Main Mode from 88.xx.xx.xx

And nothing more.....ever. No clue as to what happened.

From the local LAN where the connection is successful we see :-

2016-05-01 09:35:34 [H2L][UP][L2TP/IPSec][@1:Chris]
2016-05-01 09:35:31 IPsec SA established with 192.168.1.14. In/Out Index: 34/0
2016-05-01 09:35:31 IPsec SA #23 will be replaced after 2991 seconds
2016-05-01 09:35:31 Responding to Quick Mode from 192.168.1.14
2016-05-01 09:35:31 Receive client L2L remote network setting is 192.168.1.254/32
2016-05-01 09:35:31 sent MR3, ISAKMP SA established with 192.168.1.14. In/Out Index: 34/0
2016-05-01 09:35:31 Matching General Setup key for dynamic ip client...
2016-05-01 09:35:31 NAT-Traversal: Using RFC 3947, no NAT detected
2016-05-01 09:35:31 Matching General Setup key for dynamic ip client...
2016-05-01 09:35:31 Responding to Main Mode from 192.168.1.14

Any thoughts please, it is driving me nuts. I suspect it is related to the fact the 2860 config is Ethernet/PPPoE connected to the BT modem (faster and more reliable than the inbuilt one from my own tests) but nothing springs to mind.

Thanks in advance,

Regards

ChrisC.

This problem occurs because you have a router (NAT device) between the Vigor and the public internet. For L2TP/IPSec to function, that device needs to support a feature called edge traversal and most (like the virgin superhub) do not.

You can get PPTP VPN working by setting up port forwarding.

If you want to use IPSec, you need to set your other router to modem only mode or otherwise ensure that you Vigor has a public IP address. The VPN tunnel will then work.

PaulB513 wrote: This problem occurs because you have a router (NAT device) between the Vigor and the public internet. For L2TP/IPSec to function, that device needs to support a feature called edge traversal and most (like the virgin superhub) do not.

You can get PPTP VPN working by setting up port forwarding.

If you want to use IPSec, you need to set your other router to modem only mode or otherwise ensure that you Vigor has a public IP address. The VPN tunnel will then work.

Paul

I take it forwarding the ports would not cure this? I have a 2925Ln, and have tried to forward ports on a 2860n-plus. Strangely, an IOS device will connect to the 2025Ln. Also using a SIM card with a public IP in the 2925LN, apple devices can connect. It is only Windows devices (8.1, 10, 2008 server etc).

Using the client tool, the connection is made, then drops, I am not sure if it is not getting its network / gateway connections in a timely manner.

Note using the 2860n-plus, allows all devices to connect using L2TP / IPsec.

Is there a known issues page, or somewhere reputable I can report this too? I have had firmware pages side by side and cross referenced everything, like I say IOS devices connect with no problems at all, PPTP is the work around / test on the 2925Ln, and that works. I also notice there has not been a realease of firmware for a while.

Any suggestions gratefully received, however I am guessing it is an issue with the firmware the amount of time i have spent looking at this.

Thanks

Pete'.