Hello, I've recently purchased a few 2136ax routers for some additional small sites. They VPN into the main site which has a few different subnets. When I try to enter the additional subnets there is no option other than to create additional SA's for each subnet. I do not want to do this, I just want the router to be aware that these additional subnets reside at the end of this VPN connection. This has not been an issue with all the previous Vigor's I've used, where creating additional SA's was an option, not an enforcement. However, like I say, there seems to be no other option than to create additional SA's with this new model. Also just to add, if I add the additional subnets in here, then the router tries to create SA's, which will fail and drop the VPN every 30secs. When I remove the SA's, the VPN connection is stable.

Can someone help/confirm?

Screenshot of options. It's either Disabled or Multiple SA's

Does anyone know about this? Still not able to add a subnet with creating an SA on 2136ax router.

Hi  Liam,

I see your issue. No doubt DrayTek will add the option you want with enough demand, or they have other reasons for enforcing the use of it.


You could try this: as in or even ..if it lets you?

That would push the rekeying period to 24 hours or 0 hours, if it accepts 0, for the Phase2 SA.

I imagine this isn't a problem for two modern matching DrayTek routers but possibly a problem for old and new working together.

I believe that it is possible to get round this problem using Route Policies.  I will have the same issue but I am unable to test it on the 2136 for another couple of weeks, but it does appear that you can enter your extra routes as a Route Policy that steers the traffic to the specific VPN.

As I understand it, Drayos has 2 routing tables, the standard one and the Route Polices one which can add to or overriide any standard routing.

It would probably be a lot more simple to setup if draytek made the Network section on the VPN config a single list of routes with a minimum of one route and check boxes for SAs. However, as has been said above, there may be some underlying reason for the restriction. It does kind of feel like an oversight though.

I'll post something back when I've been able to check it out properly.

Right, as promised, I have now had a chance to test route policies for IPSEC VPNS on 2136ax (DrayOS 5).

It is all working as it should, I've got two IPSEC VPNs to other sites, and each one of those just has it's one default subnet configured. Then two route policies set up each one adds the missing subnets for a VPN, i.e. those that would have been added as extra routes on DrayOS 3/4.

• Go to:   Configuration / Routing / Route Policy
• Click + Add
• Give it a name and enable it
• Set Destination to IPv4 Address
• Click + Add to add the extra subnet(s) required
• Set Primary Path to VPN
• For Primary Path VPN click + Add to select the required VPN
• Everything else should be ok at default.

This has worked for me and seems, so far, be a stable solution.

It's a bit of an annoyance that the lists like Site-to-Site VPN and Route Policy cannot be enabled/disabled at the list level as in DrayOS 3/4 as that makes it a whole lo quicker to debug routing problems, but it's not the end of the world.
 

Thanks Jeremy, I actually managed to get it set up a few days ago exactly as you mentioned above. It is frustrating, though, that the routes don’t show up in the route table.My next issue, which I haven’t had a chance to dig into yet, is that when I disable WAN access to the router (basic security), I can’t reach a remote router from inside the VPN. The error says that remote administration via WAN is blocked, even though I’m technically on our internal network, just at another site.