Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page

Vigor 3900 VPN Trunk to Vigor 2860 (DrayOS)

Vigor 2832
Vigor 2860
Vigor 2925
Vigor 2952
Show all

VPN Load Balance
VPN Trunk

The VPN Trunk facility is able to use multiple WAN interfaces to load balance traffic across those WANs for site to site VPN traffic.

The Vigor 3900 and Vigor 2860 have different interfaces for configuring the VPN trunk but this is fully interoperable between the two router types, this guide covers the setup of these two types of router to make a working VPN trunk between the two.

  Site A - London Site B - Leeds
Router Vigor 3900 Vigor 2860
Call Direction Dial-In Dial-Out
Local Network
Tunnel 1 GRE IP
Tunnel 2 GRE IP

This is the network setup being used between the two sites, the "Tunnel x GRE IP" values are used internally by the routers to establish the GRE tunnels needed for VPN load balancing to operate, these IP addresses can be set to any IPv4 addresses as they are used for an internal point to point link, but it's recommended to avoid setting this the same as any addresses that are in use on the routers or the routing table to avoid problems.

To configure a VPN trunk on the Vigor 3900 router, go to VPN and Remote Access > VPN Profiles, select the IPSec radio button and click Add to create the new profile. When setting the profile name, please note that it cannot use spaces or "-" characters, it is recommended to use the "_" character instead:

The IPSec profile is configured as normal, the Dial-Out Through WAN interface is specified as WAN1, with the local and remote network settings, a pre-shared key and the Remote Host address is the address of the remote side that would be connecting, in this case, WAN1 of the Vigor 2860 router is

The Advanced tab and Proposal tabs can be left on their default settings, which are compatible with other DrayTek routers:

Go to the GRE tab of the VPN profile once that's configured and enter the values as shown:

Click Apply on that profile to save the changes.

The router will then need the profile for WAN2 to be configured, so make a second profile for that:

The setup of the second profile is similar, with the only differences being the Dial-Out Through WAN interface, which should be WAN2 and the Remote Host IP is set as the remote WAN2 IP address of Go to the GRE tab to configure the GRE settings for the WAN2 interface, which should be configured as shown:

Click Apply to save and apply that VPN profile.

The router then needs to be configured to recognise these two profiles as VPN trunk profiles, this is done from VPN and Remote Access > VPN Trunk Management, on the Load Balance Pool tab, click Add to create a load balance pool for the two profiles. Set the profile's Mode to Load Balance and click Add in the Interface section to select the two VPN tunnels to be used; after selecting a profile, set the Weight value, which is a ratio and can be a number between 1 and 255. In this case, the two VPNs will have the ratio set to 1:1 or 50% per tunnel:

Click Apply on that to save it and go to the Load Balance Rule tab, on there click Add to make a profile so that the router will recognise which subnets the trunk will be used for, in this case, the settings are the same as the VPN tunnels, with the source IP range being and the destination IP range being

With that saved, the Vigor 3900 is now ready to accept VPN trunk connections from the Vigor 2860.

To set up a VPN Trunk on the Vigor 2860 router, it first needs to have two VPN profiles configured, from the VPN and Remote Access > LAN to LAN section, on there, select an un-used profile and configure the VPN tunnel for the WAN1 interface.

This is set up as a Dial-Out connection so set the Call Direction to Dial-Out and tick the Always-On tickbox. Set the VPN Dial-Out Through interface to WAN1:

In the 2. Dial-Out Settings, set it as an IPSec Tunnel to be able to set the other required options, the Server IP/Host Name should be the WAN1 interface of the Vigor 3900 router.

Under 4. GRE over IPsec Settings, enable the Enable IPsec Dial-Out function GRE over IPsec tickbox and set the GRE IP addresses as shown, which correspond with the addresses used on the Vigor 3900. The TCP/IP Network Settings are set as they would be with a normal VPN, with the Remote Network IP being the remote network address of the Vigor 3900.

Click OK to save that profile and then configure the VPN profile for WAN2:

This profile is set up in the same way as the WAN1 profile, with the notable differences being the VPN Dial-Out Through WAN interface set to WAN2 and the Server IP/Host Name points to the Vigor 3900's WAN2 interface instead.

The GRE settings should be set as shown to correspond with those set on the Vigor 3900, so that the point to point link can establish.

The TCP/IP Network Settings are configured in the same way as the first tunnel. Click OK to save that profile and the following error message will then show:

This is a warning message only and will not affect operation once the two tunnels are set as being part of a VPN Trunk. Click OK to dismiss it and move on to the VPN and Remote Access > VPN Trunk Management section. On there, under the General Setup section, select the two profiles, give it a suitable name, set the Active Mode to Load Balance then click Add which will make the two profiles part of the trunk.

Once those VPN tunnels establish, the two routers will pass site to site VPN traffic across both WAN interfaces.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1

Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(As you'd like it to appear on the comment)

NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.