Hi.

Router/VPN server:
Model Name : Vigor2850n
Firmware Version : 3.8.8.2_232201
Build Date/Time : May 21 2018 14:21:05

Client tool:
Draytek SmartVPN client 4.3.3.3
and
Draytek SmartVPN client 5.0.0.0

OS:
Win 7 Pro SP1 x86
XP Pro SP3 x86

Connection:
3G cellular data via TMobile/EE dongle.

I have set up a Remote dial in (tele-worker) L2TP with IPSec vpn.

This was set up using a pre shared key as found in the screen: VPN IKE/IPsec General Setup

All works fine.

I am trying to set up a similar dial-in user but using the "Specify Remote Node" / "Peer ID" option found on the "Remote Dial-in User" setup page, and thereby specify a specific pre-shared key (rather than using the "global one", detailed above).

All goes tickity-bo if I fill in "Remote Client IP" with the client's IP address - it seems to connect just fine.

However, I can't see a way of using the "Peer ID" feature/identifier (E.g. "mypeerid@somewhere.net") - there doesn't seem to be an option to enter this in the Draytek SmartVPN client interface.

As the client will have a dynamic IP, I can't use the IP address.

In the past, IIRC, I've got it to work (using a "Peer ID") with the Shrewsoft VPN client but I cant get the Shrewsoft client to work at all at the moment (doesn't seem to get past phase 1), and I would rather stick with the SmartVPN client, if possible.

I had a look in the config file the client tool creates but nothing jumped out as being pertinent to "Peer ID".

Any help greatly appreciated.

C

Routintooter wrote:
I am trying to set up a similar dial-in user but using the "Specify Remote Node" / "Peer ID" option found on the "Remote Dial-in User" setup page, and thereby specify a specific pre-shared key (rather than using the "global one", detailed above).
However, I can't see a way of using the "Peer ID" feature/identifier (E.g. "mypeerid@somewhere.net") - there doesn't seem to be an option to enter this in the Draytek SmartVPN client interface.

I've played around in this area recently...

I failed miserably in my attempts to use that "Peer ID" field in a Remote Dial-in User entry on my 2860. (It does work in Lan-to-Lan VPN entries.)

I think it is only used for IPSec "Aggressive Mode", and I couldn't find any way of getting the Windows client (or SmartVPN) to do this - it always uses "Main Mode".

I did find a way to make an Android Client use "Aggressive Mode" - but I can't make any combination of "Peer ID" and per-user "Pre-shared key" work. (My 2860 gets further than my 2830, which fails at its earliest possible opportunity!).

The only way I could achieve "Per-user" IPSec authentication, was to use X.509 certificates. (The L2TP part is always authenticated "per-user", but (if used) happens after the IPSec connection has been established).

Thanks for the info.

In the before time, in the long, long ago, when the Shrewsoft client was working, I had set to use Aggressive mode - which seems to correlate with your experience.

Having had a further tinker with the Shrewsoft client, it may be the case my previous experience with it "was all a dream" - that is I dont think it supports L2TP with IPSEC - it seems to be just IPSEC.

The crib notes I found regarding setting up Shrewsoft client with a Draytek VPN specify using PSK + XAuth but if i only pick "IPSEC tunnel" in the Draytek VPN GUI (Not "L2TP with IPSEC Policy") then I cannot enter a username and password - which I thought was the Xauth "bit".

However I could be, and almost certain am, wrong.

As what has been said above, really:

Contacted Draytek UK support - Response was you cannot currently enter the Peer ID field into the SmartVPN client.
No suggestion it was "on the list", or "not on the list".

Looking on the bright side, our experiments seem to be showing the same thing

I thought I'd precis a few points, that I believe to be facts ...

2. The "built-in" Windows L2TP/IPsec client does not support Aggressive Mode.
   From: https://www.niap-ccevs.org/MMO/Product/st_vid10746-agd.pdf
   
   

   3.7 Other Information
   There is no way to configure Windows to use IKEv1 aggressive mode. Only main mode is supported

   
   and https://www.microsoft.com/en-us/download/confirmation.aspx?id=45490
   
   

   Note: When the RAS IPsec VPN is configured to use L2TP/IPsec (also known as IKEv1), then IKEv1 Phase 1 negotiation operates in main mode only; aggressive mode operation is not supported and cannot be configured.




4. Pure IPsec in Aggressive Mode is not supported on Windows either. Circumstantial evidence is that SmartVPN does not allow it to be configured (SmartVPN creates and enables/disables Windows built-in "IP Security Policies". Attempting to configure these manually (using the MMC snap-in), reveals that only "Main mode" and "quick mode" options are present).




6. When using IPsec Main Mode, the (Peer) ID must be an IP address. This has been demonstrated to work on a per-user basis - but is, of course, usually impractical. Draytek Vigors appear to accept any IP address, when the global PSK is used; in other words, they appear to have overcome the impracticability, by simply abandoning a large chunk of security :o
   
   See: https://searchwindowsserver.techtarget.com/tip/Understanding-IPsec-identity-and-authentication-options
   
   

   Both Modes support any IKE standard ID Type and Authentication Method, with one exception: if Main Mode is used with PSK, the ID must be an IP address. This makes Main Mode/PSK impractical for remote access VPNs, because mobile users rarely connect from static IP addresses.

   
   
   Same sort of thing here: http://www.internet-computer-security.com/VPN-Guide/Aggressive-Mode.html
   
   

   Aggressive mode is typically used for remote access VPN’s (remote users). Also you would use aggressive mode if one or both peers have dynamic external IP addresses.




8. The Android client (8.0 and maybe others) can be made to use Aggressive Mode, along with its per-user PSK. Unfortunately, the Vigor 2860 cannot be made to respond to it properly.




10. A variety of 3rd party VPN clients exist (though all seem to be commercial offerings). Some of these offer Aggressive Mode. I might investigate if any of them can successfully connect to the Vigor 2860, as a means of shedding light on the failure point in (4.) above.

Out of characters ... TBC