I am trying using https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/how-to-establish-l2tp-tunnel-from-iphone-to-vigor-router/ as a starting point to understand what the minimum settings are to setup a L2TP VPN between my Vigor and - as clients, my Fedora Linux and my Android 7.x phone, but there is no way I can get it to work with either device.

Of the settings that are not listed in the guide mentioned above, I am using:

- Maximum MPPE (128 bit)
- No mutual authentication
- Remote dial-in as the only PPP authentication method
- No PPTP LDAP profile
- Both "Medium" and all "High" IP Security Methods ticked
... and nothing ticked across the other several dozen settings

The settings are matched on Linux and Android wherever they exist there, too. On Android, for example, most of this detail is completely missing. Screenshots of the settings on the Draytek are below.

- https://doc-0s-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/dq733gp04dfo30638iqjge8ovnbich93/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAeVpDVkNKMWJlbHc?e=view&h=05516109048717929186&nonce=tsq1lea6o6s2u&user=15757117163700496642&hash=bmrvpor8l1c20pi0brl5s5d8pq47lt6j
- https://doc-0c-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/bc2kam6vko9gglssmsqm3b37a86ctdde/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAUHhWb2dzX3FDcW8?h=05516109048717929186&e=view
- https://doc-14-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/effeb47emjh146mq9dsun4lv9etaqkkd/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzANnFOTDBGckJwMGM?h=05516109048717929186&e=view
- https://doc-14-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/njr7h2s48rfgs3a7ji4ub2qgitvfa8fn/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzATno2c0ZIU3MwX0U?h=05516109048717929186&e=view
- https://doc-04-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/1kc0nfhg0smj8s4hvb02ka4ubvfitk5f/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAZ3RZRnJVWGtWQ1U?h=05516109048717929186&e=view
- https://doc-0k-6g-docs.googleusercontent.com/docs/securesc/h6glchuru44if09ro2bbm5lfkcik91iv/8vf2rurrj7unosudbtllohj0t798b9hg/1487707200000/15757117163700496642/15757117163700496642/0B3i-XvikxKzAdE13VExEbWFOYmM?h=05516109048717929186&e=view

What could I be missing, and what is the best place to debug what's happening, on either the Vigor side or the Fedora side? Surprisingly, Linux does not give any explanation of the failure, unless I probably need to look deeper into some logs through the console.

Thank you in advance,

Giacecco

A quick update. I've given up on Fedora, as a prosumer OS of course has many more movable parts that can be potentially an issue. I've started focusing only on Android and also started collecting syslogs on a USB stick connected to the router.

The first thing I noticed is how few messages are recorded, despite ticking all syslog services. Anybody reading this has an example of how the syslog should look like when a L2TP connection is attempted and - potentially - initiated?

Thanks.

Your google links are not public - so getting access denied.

I used to run l2tp VPN and connect in from Windows, Andoid and IOS

From memory I enabled both l2tp and ipsec in the VPN services. I configured a certificate on the Draytek and assigned it to the VPN. I configured a shared secret to be used. I created a dial in user and allocated them access to l2tp and ipsec and configured them accordingly.

I also run L2TP over IPSEC - you must have IPSEC ticked as well as L2TP in the service types. This threw me for a while although it is obvious when you think about it!
Currently connecting via OSx and iOS.

@fryr @jasonrafferty thank you for your advice and sorry for not getting back to you sooner.

I've tried enabling both IPSec and L2TP but that did not solve the problem.

@fryr I did not configure a certificate, I thought it was optional, is that correct? Moreover, on Android, I am trying using L2TP/IPSec PSK, not RSA.

Moreover, can you confirm that I don't need to open any ports on the router (in NAT > Port Redirection or NAT > Open Ports), as if the VPN server was a separate device somewhere on the internal network?

I made new screenshot of what I think are the relevant configuration settings here https://photos.google.com/share/AF1QipM4dzE6G_mtuPQjsHLS5GOpmeltBcSQhvrMeRtH5UfpaaX_4jV7QKsQXLm_dfzTBA?key=U2U4ZkQwWnpQZ2pkMC1RZ05nV2hMSU1uQVVsdjRn .

Thank you for any hint. I am tempted to sell the Draytek at this point and downgrade to something more user friendly.

Hi,

Relatively few steps to make this work, I'll cover what I know in case it jogs something for you.

VPN and Remote Access > Remote Access Control

Enable IPSec VPN Service - checked
Enable L2TP VPN Service - checked


VPN and Remote Access > IPsec General Setup

Certificate for Dial-in - None (default)

Pre-Shared Key - set to something and confirm (use whatever you want for testing, after initial setup make nice and strong)

IPsec Security Method - just the High options ticked

VPN and Remote Access >  Remote Dial-in User

Ensure you have remote user created and enabled (as I see you do). The only settings I configured were:

Allowed Dial-In Type
IPsec Tunnel
L2TP with IPsec Policy "must"

Username and password

IPsec Security Method

Again just the high options ticked.


That's it.

So client side you are using the native Android VPN settings? You want an "L2TP/IPsec PSK" connection type. Connection just needs a name (anything), the connection type (L2TP/IPsec PSK), the internet address of your router, the IPsec pre-shared key (the key you entered on the router), then the username and password you set.