V. VPN (Virtual Private Networking)
LAN-to-LAN VPN Troubleshooting
The following is a list of the most common configuration mistakes made in setting up a Vigor-to-Vigor VPN connection, as well as some general advice for VPN configuration.
Please note that the General tab applies to all VPN types, it is recommended to check the possible causes in that list first if troubleshooting any type of LAN-to-LAN VPN connection.
- On LAN-to-LAN VPNs, for your own ease of use, but also when requesting help/support from your dealer you should keep an accurate plan of your setup. Most common problems are due to confusion over the VPN layout, so keeping your notes/planning clear and up to date is essential. We recommend a table, as shown in this example :
London Liverpool Device Vigor2830 Vigor2860 LAN Address 192.168.1.0 10.1.1.0 LAN Subnet Mask 255.255.255.0 255.255.255.0 Router's Address 192.168.1.1 10.1.1.1 Router Admin Password shilton keegan Public IP Address 126.96.36.199 188.8.131.52 VPN Profile Name Liverpool London Call Direction Incoming Outgoing Outgoing Username n/a scouser Outgoing Password n/a tyne44 Protocols PPTP only PPTP only Pre-Shared Key n/a (IPSec only)
- If you want a VPN tunnel to be permanently active, rather than dial-on demand, select Always On in the VPN profile of the dial-out router. At the other (receiving) end, select '0' as the inactivity timeout (indefinite). If the connection is interrupted, the calling end will retry until reconnected. Otherwise, by default, VPN tunnels have a 300 second (5 minute) inactivity timeout, which allows the router to drop the VPN if it's inactive - it will re-establish automatically if a client on either side needs to pass traffic to the remote network but this does have a slight delay.
'Always On' set on the Dial-Out router.
Indefinite (zero) timeout set at the other end.
- Don't set up lots of VPN profiles on the router to start with. Set up a single profile, for one remote LAN/teleworker VPN and check that it works as expected.
- PPTP is simpler to set up as a protocol than IPSec. If you are troubleshooting, we therefore recommend you start with PPTP and confirm that the basic connection and settings work. You can then switch to IPSec or other protocols later, once the basic concepts and connection have been tested.
- Make sure that the VPN services being used are enabled on both routers, this is set from the [VPN and Remote Access] - [Remote Access Control] page, this requires a restart to apply the change.
- Do not confuse the term 'subnet' with the term 'subnet mask'. A subnet is any subset of a universal network - a subnet can include one IP address, or millions of IP addresses. A subnet mask is a parameter used in combination with an IP address to inform the clients/servers the size of the local subnet. This is best explained in detail elsewhere, but as a quick example, a subnet mask of 255.255.255.0 gives you a local subnet of 253 local addresses and that if a local IP address is 192.168.1.42, it is the final octet only (.42) which varies around the local network - the first three octets must be the same on all local clients, otherwise the IP address falls outside the local IP subnet range and is considered by the PC and router to be remote.
- Ensure that the networks on each side of the VPN are in different subnets. i.e. if both LANs are numbered 192.168.1.X then they cannot route to each other because they are within the same logical subnet.
- On the dial-out side of the VPN connection, make sure that the server IP / host name that it's dialing to is correct, check for spaces.
- Check that the routers can ping each others WAN IP, the exception to this would be if one router is located behind a NATted address, in which case that should be the dial-out router and it should use PPTP or IPsec with Aggressive mode configured.
The routers will block pings from the WAN interface by default, this is changed from the [System Maintenance] - [Management], by unticking Disable PING from the Internet and applying that. Ping diagnostics can be performed from the [Diagnostics] - [Ping Diagnosis] page.
- On routers that support the Policy Route feature, if the VPN is up but not passing traffic, check the Policy Routing Guide for details on how to fix this.
- Check the Route / NAT setting, this should be set to Route generally. The NAT setting is used with dial-out VPN connections, where the router would apply NAT to the VPN connection, which would give that network access to the remote network but no access in the other direction.
- In the LAN-to-LAN profile, enter 0.0.0.0 for the My WAN IP and Remote Gateway IP settings. The Vigors are able to determine their VPN WAN and remote VPN gateway IP addresses automatically from the remote Vigor, therefore you should not normally enter an IP address. Here is the example from the setup guide :
- If the VPN is connecting but drops out very frequently, check whether Ping to keep alive is enabled on the Dial-Out side, if the target address does not respond, the router will drop the VPN roughly every minute, its purpose is to drop and re-establish the VPN if the ping target does not respond.
- When using PPTP/L2TP, do not use the same username for a dial-in (teleworker) user profile as for a LAN-to-LAN profile. The router is unable to tell which one you want when the call comes in and so will default to the Teleworker. A LAN-to-LAN connection can still be established but no routing will occur as the IP allocated will be for a single teleworker only.
- DrayTek routers allow a maximum of 11 characters in the password field on the Dial-In side of the VPN when using PPTP / L2TP, so don't exceed that number of characters in the password for a LAN to LAN VPN.
- If DHCP is disabled on the router, the IP used for the VPN to route is set from [VPN and Remote Access] - [PPP General Setup], make sure that IP range doesn't conflict with any existing or reserved addresses, using Bind IP to MAC for instance.
- Check the output of "log -ct" in the router's Telnet / SSH interface to determine if it's a CHAP authentication error, which is a username / password failure.
- Check the Pre-Shared Key on each side to make sure they are correct.
- On the dial-in side, when using IPsec, make sure the Specify Remote VPN Gateway address is correct. If the remote router is using a NATted address, use IPsec with Aggressive mode.
- Subnets MUST be correct for an IPsec connection to establish and they should be entered as the network address, for instance where the router IP is 192.168.1.1 with a subnet mask of 255.255.255.0, the network address would be 192.168.1.0.
- Make sure that the subnet mask used for the VPN connection matches the subnet mask configured on the remote router's [LAN] - [General Setup] section.
- Make sure that the selected IPsec Security Method on the Dial-Out side matches the allowed IPsec Security Methods allowed under the Dial-In settings on the dial in router.
- There is an additional global IPsec Pre-Shared Key on the router which is configured under [VPN and Remote Access] - [IPsec General Setup], which is used with dial-in user IPsec connections or for LAN-to-LAN VPNs from dynamic IP addresses. If using this, make sure that the Pre-Shared Key used is not the same as one used in a LAN-to-LAN VPN profile as this could cause the connection attempt to go into the wrong profile, which would stop the connection from establishing.
How do you rate this article?
- First Published: 18/03/2013
- Last Updated: 09/12/2015
Add a comment to this article
NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.