The number of remote users is 1

peter-h wrote: The number of remote users is 1

In that case, I think I would start, by changing that Pre-Shared Key. Make it longer and more complex. I don't believe it will be quickly or easily compromised. If the crashes stop, then re-start in a week's time, you'll know I'm wrong!

Also, see if the "VPN" section of the 'Web' syslog captures anything. (I've had variable success with it...)

I have been trying to set up a teleworker VPN using just IPSEC.

Of the options other than L2TP or PPTP, the 2955 offers only "IPSEC tunnel".

Is this the same as the IPSEC IKEV2 PSK in android 5 or 7?

The android config is for the IPSEC ID and the IPSEC pre-shared key. Nothing else. The Q is where in the router are these configured? There is a sort of "global" pre shared key which is used for the site-site IPSEC VPN.

Draytek are now blocking access to their Guides unless you sign up
https://www.draytek.co.uk/support/guides/vpn-setup2
and I can't click on the button accepting their terms; it is disabled.

The other VPN guides I can find e.g. this
https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/windows-10-built-in-vpn-to-vigor-router/
is all L2TP which is what is causing the router to reboot.

I found this for android
https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/3900-how-to-establish-ipsec-tunnel-with-xauth-psk/
but it doesn't work I can't really relate the router config given to the 2955's options.

It looks like Xauth is the IPSEC mode to use but I can't get that to work either.

peter-h wrote: I have been trying to set up a teleworker VPN using just IPSEC.

I don't think the built-in Android client allows/supports that. It wants some more 'protection' on top, in the shape of L2TP or XAuth. I've been looking on the Google Play store, for a client that might work ... but it's hard to see the wood for the trees; most are clients for specific VPN companies. The FortiClient VPN app. looks promising, but having it set it all up, it does nothing . I've just uninstalled it again. There's a Cisco app, that the 2860's SYSLOG notes with interest, is attempting to trigger an IKE V2 connection. It doesn't succeed though...

Is this the same as the IPSEC IKEV2 PSK in android 5 or 7?

No. I'm hazy on IKEV2 .. on the grounds I have no devices that support it. It's the latest, greatest, must-have :wink:

The android config is for the IPSEC ID and the IPSEC pre-shared key. Nothing else. The Q is where in the router are these configured? There is a sort of "global" pre shared key which is used for the site-site IPSEC VPN.

This is back to what I was saying earlier...if you put nothing in the "IPSec ID" field, the client uses "Main Mode", and the key is matched against the Global PSK; and that's it, the IPSec SA is declared up and running! No wonder it thinks there should be a few more steps on top.

If you put something in the "IPSec ID", it uses "Aggressive Mode". On detecting this, the Vigor should (if anything like the site-to-site config), look for the Remote Dial-in user, that has "Specify Remote Node" ticked, and "or Peer ID" with a matching string. It should then compare the "IKE Pre-shared Key" for that user.

I cannot get this to work on the 2860 ... and not a chance on the 2830. [I'm basing this, on what happens with Site-to-site configuration, rather than any documentation. As an aside, there is a tick box next to "[b]Pre Shared Key[/b]" (@ the user level) ... the equivalent tick box for site-to-site has no effect at all ... it will match a PSK, even if you've told it not to. So many bugs!]

https://www.draytek.co.uk/support/guides/vpn-setup2

This is ancient and is PPTP or L2TP/IPSec.

It looks like Xauth is the IPSEC mode to use but I can't get that to work either.

Is there any mention of XAuth on the 2955?

The 2955 says nothing about IKEV2 or XAUTH.

On android, both v5 and v7, I find that if I specify IKEV2 PSK it doesn't ask for the username and password. If I specify XAUTH it does.

The IPSEC Identifier is "not used".

How to map this to the router end I don't know. There is a PSK which is definitely used for the site-site VPN and which has its own "global for all IPSEC VPNs" config.

Moving to win10, which is my most important requirement, all it offers in IPSEC terms is IKEV2 (apart from L2TP, PPTP etc) and then you get username/password, nothing about a shared key. I suspect the 2955 doesn't do IKEV2. Nothing works at all.

So it looks like either PPTP or L2TP/IPSEC are the only options.

PPTP has some security concerns. I am not sure if these are real though; basically the attacker needs access to the wifi network or the ethernet cable via which you are connecting and have this during the time the connection is alive; hacking a PPTP VPN server alone just presents you the login+password which will be as hard as you make it. And the GRE protocol used requires specific support in routers etc which is often not present.

And L2TP exposes the vulnerability in the 2955 router which causes reboots.

So I might go back to PPTP. I rarely use it on public wifi.

To summarise my main requirement: is there any win10 VPN config which would work with the 2955 while avoiding L2TP?

peter-h wrote: The IPSEC Identifier is "not used".

It's not obvious, but you can type stuff in that field ... and then it definitely is used ! (Have I mentioned that SYSLOG gives you an insight into this sort of thing :wink: )

There is a PSK which is definitely used for the site-site VPN and which has its own "global for all IPSEC VPNs) config.

Again, I've been looking at this area, with growing concern.

You can get it to use a per-VPN Pre-shared-key, by selecting "Aggressive mode" at the initiating end (Hit "Advanced" in the "IP Security Method" section, select 'Aggressive Mode' and type 'something' into "Local ID". At the target end, enable "Specify Remote VPN Gateway" and type that same 'something' into the "or Peer ID" field . The per-VPN PSK now goes in the [IKE Pre-Shared Key] section - for that LAN to LAN entry). This works for site-to-site, but not Dial-in users. I think the fact that it doesn't work for the latter is a straight-forward bug.

Moving to win10, which is my most important requirement, all it offers in IPSEC terms is IKEV2 (apart from L2TP, PPTP etc)

If you install the SmartVPN app - you also get 'raw' IPSec ... in what I think is 'transport mode'. (If anyone would like to correct me, please do!)

This guide: https://www.draytek.com/en/faq/faq-vpn/vpn.host-to-lan/how-to-establish-ipsec-with-x.509-from-smart-vpn-client-to-vigor3900/ gives some clues ... enough for me to get it to work to the 2860. (The guide shows an ancient version of SmartVPN, the radically different 3900 and uses X.509 certificates, but apart from that, is a perfect fit )

I can't remember if it uses Main mode or Aggressive mode (which influences where the key needs to go, for PSK authentication). It's possible I only tried it using a certificate.

It's quite an odd experience ... the 'connection' is instant and there's no obvious change in the local network. If you fire up the "MMC" and add the "IP Security Monitor" snap-in, you can spot the (dynamic) changes it's made to your system.

It's actually quite clever - I remember doing this manually, years ago on Windows 2000 and it took me half a day! I was doing it for a static PC, that I wanted a cross-site encrypted link to. If the local network changes (i.e. for a travelling laptop), you'd run into DNS configuration issues.

On the plus side, it is the 'pure' IPSec connection you so desire