Hoping somebody can help.

Some Info to get stated:

HOME
Model: Draytek 2860n
Firmware: 3.8.6_BT 576D17_A/B/C HW: A
Service: VDSL 38 meg
WAN IP Address: 123.456.789.10
LAN IP Address: 10.1.1.1

VPN
LAN to LAN
Common Settings
Profile Name: COTTAGE
Call Direction: Dial in

Dial in Settings
Type Of Server: Ipsec Tunnel
IKE Auth Method: IKE Pre Shared Key
Specify Remote VPN Peer ID: ABCDE

TCP/IP Network
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 192.168.1.0
Network Mask: 255.255.255.0
Local Network IP: 10.1.1.0
Network Mask: 255.255.255.0

COTTAGE
Model: Draytek 2820n
Firmware: 3.9.9_232201 Annex A
Service: ADSL 20 Meg
WAN IP Address: Dynamic
LAN IP Address: 192.168.1.1

VPN
Common Settings
Profile Name: HOME
Call Direction: Dial Out, Always On

Dial out Settings
Type Of Server: IPsec
Server IP Address: 123.456.789.10
IKE Auth Method: IKE Pre Shared Key
IKE Security Method: High (ESP) Des Without Auth
Advanced: Aggressive Mode with Peer ID: ABCDE

TCP/IP Network
My WAN IP: 0.0.0.0
Remote Gateway IP: 0.0.0.0
Remote Network IP: 10.1.1.1
Network Mask: 255.255.255.0
Local Network IP: 192.168.1.1
Network Mask: 255.255.255.0

LAN to LAN VPN tunnel establishes itself and data is encrypted.
However i cannot access resources at HOME from the COTTAGE, basically a networked hard drive (Mapped Drive). I can't ping either (ping not disabled).

Looking in the logs i get the following:

<141>Jan 1 00:01:12 COTTAGE: Dialing Node1 (HOME) : 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: Initiating IKE Aggressive Mode to 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: NAT-Traversal: Using RFC 3947, no NAT detected
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x4, Message ID = 0x0
<141>Jan 1 00:01:12 COTTAGE: sent AI2, ISAKMP SA established with 123.456.789.10. In/Out Index: 0/-1
<141>Jan 1 00:01:12 COTTAGE: Start IKE Quick Mode to 123.456.789.10
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: Cleint L2L remote network setting is 10.1.1.0/24
<141>Jan 1 00:01:12 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0xe895ec18
<141>Jan 1 00:01:12 COTTAGE: sent QI2, IPsec SA established with 123.456.789.10. In/Out Index: 0/-1
<141>Jan 1 00:01:12 COTTAGE: [L2L][UP][IPSec][@1:HOME]

<166>Mar 14 06:53:43 COTTAGE: WAN1 PPPoE ==> Protocol:LCP(c021) EchoReq Identifier:0x02Magic Number: 0x0 00 00 ##
<166>Mar 14 06:53:43 COTTAGE: WAN1 PPPoE <== Protocol:LCP(c021) EchoRep Identifier:0x02Magic Number: 0x2ccf 94 c6 ##
<141>Mar 14 06:53:43 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xe43be7bd
<141>Mar 14 06:53:43 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x6d0b993f
<141>Mar 14 06:53:58 COTTAGE: IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xc54beb44
<141>Mar 14 06:53:58 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x3be9416d
<141>Mar 14 06:54:13 COTTAGE: IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x8d959a1d

Fifth line down says: no NAT detected!

What am i doing wrong please?

My guess is that this is probably a Routing issue. Try using Tracert/Traceroute to see how far you get. Remember that there needs to be routing information in both directions.

If there's more than one subnet, at either end the router needs to be told about it - or else traffic will be sent to your ISP instead (using the Default Gateway). This is what the "MORE" setting in the VPN entry does. The Route Policy tool on the 2860 is quite a useful diagnostic aid, to see where traffic will go.

Accessing File and Print sharing across subnets always used to be awkward (hence the historical use of WINS servers etc). In my (similar) setup these issues don't seem to exist any more - (though that could be because I have an Active Directory configuration, complete with internal DNS servers.)

I think the entry in the log about NAT is just an observation - it's just telling you that it didn't go through the router, using NAT, to get to a VPN server (because the router is the VPN server).

Actually - looking a bit closer, there are things in the configuration that might need attention...

• Try adding the Remote Gateway IPs, rather than leaving them as 0.0.0.0. The Draytek documentation tells you to leave them as 0.0.0.0, but I found I needed to set them. (So 192.168.1.1 at the (IN) side and 10.1.1.1 at the (OUT) side)


• On the (IN) side, the network mask is specified as 255.255.255.0, rather than the default 255.0.0.0. Is this intentional? (I've never understood the purpose of subnetting private IP addresses in this way (as in, why not just use a private address of the required class? Maybe someone can explain it to me? )


• On the (OUT) side, the Remote Network is specified as 10.1.1.1, when it should be 10.1.1.0. Again, 255.255.255.0 is specified (as opposed to the default 255.0.0.0).

Thank you for your help much appreciated.

"On the (OUT) side, the Remote Network is specified as 10.1.1.1, when it should be 10.1.1.0" This ones my fault as a typo but not within the routers settings though. I typed it incorrectly within this topic.

Tried setting the Remote Gateway IP addresses and that didn't help, tried changing the Network mask from, 255.255.255.0 to 255.0.0.0 and it hasn't worked either i'm afraid.

Tried altering one and not the other, vice versa and both without the other and this didn't help either unfortunately.

At the dial out side what should i try entering under the TCT/IP More option?

There are no 2nd subnets at either end.

I do have two VLAN's (VLAN0: P2 & P3 with SSID1) and (VLAN1: P1 & P4 with SSID2, SSID3 & SSID4) on the Dial Out side, will this cause a problem, it didn't before. My MS Win7 Laptop is on VLAN1.

GOT IT............. Although i'm puzzled, my VLAN1 was ticked as "Isolate VPN" i'm sure that this was supposed to be correct!! but clearly not.

I want VLAN2 to have secure and isolated use of ports P1, P4, SSID2 and the VPN. I don't want those on VLAN1 using P2, P3 and SSID1 to get at devices on P1, P4, SSID2 or access down the VPN.

Do i isolate VLAN1 from the VPN by ticking the option "Isolate VPN" for VLAN1 rather than my VLAN2?

After all that i'm now lost and confused!

On the dial out side looking at my two VLAN's I have the options:

Isolate Member: Wireless clients (stations) with the same SSID cannot access for each other.

Isolate VPN: isolate wireless with remote dial-in and LAN to LAN VPN.

Connected to the router on SSID2 with Isolate VPN ticked I cannot access my VPN, but words say "isolate wireless WITH remote dial-in and LAN to LAN VPN"

Connected to the router on SSID1 with Isolate VPN ticked OR NOT I can access my VPN either way. This is not good at all!

Or am I doing something wrong here?

Can you only access a VPN from the first SSID only and have the option to deny access to it from SSID2 onwards? If this correct i'll have to change my SSID's around.