I am currently using our V2925n for IPsec LAN-to-LAN connectivity to connect our head office to our branch offices.

I want to move our Windows 10 remote clients away from a manual VPN connection to an Always On VPN, which is functionality that is built-in to Windows 10. The Windows 10 Always On VPN feature uses IKEv2, which of course uses the same ports as IPsec.

According to the Remote Access Control Setup page on the V2925n, there's a note saying:

"To allow VPN pass-through to a separate VPN server on the LAN, disable any services above that use the same protocol and ensure that NAT Open Ports or Port Redirection is also configured."

I want to keep the existing DrayTek IPsec LAN-to-LAN VPN and also use an additional IKEv2 service by forwarding all IKEv2 traffic to a backend server running Windows Server 2012 R2 on the LAN, but the note suggests this cannot happen and I am guessing this is because the DrayTek is listening on all IPs.

Is there any way I can run the DrayTek IPsec VPN service on a specific WAN IP so I can setup port forwarding on another WAN IP to forward IKEv2 traffic to the backend server?

DrayTek support say this cannot be done. But why is the DrayTek VPN service listening on all IPs?

Surely the whole point having multiple IPs is so one can run multiple different services on each IP, but this DrayTek design flaw makes that not possible.

It has been suggested to use a different protocol for the LAN-to-LAN but the only alternatives are L2TP (which of course uses IPsec, and so I still cannot use port forwarding) or PPTP which is insecure.

Is there really no way I can run the DrayTek VPN on a single IP address, leaving the other IPs to run whatever I like?

I've just come across this same issue. Did you ever find a solution? I can see that it's now possible to configure which WAN connection the VPN is listening on, but still cannot find the option to restrict to particular IP addresses.