I have a Draytek 2927 (call this Router A),connected via a LAN to LAN VPN to a second Draytek 2962 (call this Router , Router A connects to Router B via it's core LAN subnet. Router B has a separate subnet with various other Routers via LAN to LAN setups. I want to see these on Router A and previously before the 2962 was installed as Router B (another 2927) this all worked by adding the respective subnet on one of these remote Routers( connecting in to Router to the Router A LAN to LAN (to Router subnet. I set up a Load/Balance Route policy entry to add the subnets of Router A's LAN wanting to see these to the GW of the respective Subnet on Router B and all worked well until I changed Router B for a 2962 but now none of this works! I've tried adding Load/Balance Route policies to the new 2962 on Router B but to no avail along with a Firewall entry to pass the respective subnet of Router A wanting to see these LAN to LAN routes on Router B but still to no avail. Doing a traceroute I can see the pings reaching router B but not going any further.

I've spent a number of hours head-scratching given using two 2927s seem to work okay with this configuration but wondering whether the firewall on the 2962 is somehow blocking the NAT'ing and wondering whether or not it's a bug issue between the two Routers? I also enabled RIP between Router A and B (on the LAN to LAN VPN) and the 2962 ( appears to update the 2927 (A)'s Routing Table after bouncing the tunnel but then is erased from the 2927 after a couple of minutes, as if the 2962 isn't refreshing the Routing to the 2927.

Anybody else experienced a similar issue and can offer any advice? Hopefully I've tried to make clear what I'm trying to achieve although may have got a bit lost in translation!

Hi  neil201 ,

You're right that doesn't seem to work. I too have a 2962 as a central VPN server also used for passthru. I have several 2927's connected to it and also a 2865 & 2862 at two other sites. 

I' haven't needed the passthru from any of the 2927s to each other so hadn't encountered this. The 2862 can ping the 2927's and vice-versa, but none of the additional subnets on any of the 2927's can be ping'd from any of the other 2927's Ping tool (>>Diagnostics, on the routers themselves).

I finally realised why, you can't only add the "additional subnets" alone. You must have at least the 'Local Network' subnet of the destination router's VPN L2L Profile in the additional subnets list of the VPN Profile you are connectiong from.


Hope that makes sense back... So add the main subnet then all other subnets should be contactable.

Cheers for the quick response on this one, been head-scratching over the weekend trying to resolve.

My 2927's all connect to the 2962 but being able to see subnet to subnet on each 2927 from one another isn't a requirement, just the subnet (in my case LAN6) from each 2927 back to the central 2962 where all my other L2L connections route - in to LAN6.

If I understand correctly I need to add the network subnet of LAN6 in to the 2927-2962 L2L profile on the 2927, facing the 2962, and the network subnet of LAN6 on the 2927 in to the 2962's same L2L profile.

I enabled RIP from the 2962 to 2927 and bouncing the tunnel passes the 2962 Routing table once but then disappears in the 2927 after a couple of minutes. Not sure if this is a bug but going the other way the 2927 seems to keep the 2962's table updated.

Ok I understand now.

If I understand correctly I need to add the network subnet of LAN6 in to the 2927->2962 L2L profile on the 2927, facing the 2962, and the network subnet of LAN6 on the 2927 in to the 2962's same L2L profile.

Agreed, correct; although I do not use RIP, anywhere. And I'm guessing these two LAN6's at both ends aren't using the same subnet range, obviously(?)!.

So I've just created an additional entry for LAN6 of the 2962 on one of the 2927s L2L Profiles and then joined that LAN that is already routed to the 2962 via that same L2L Profile (in this instance it is not LAN6  but LAN2 on the 2927) and I can now see the relevant subnets are listed in the routing tables of each router (the 2962 & 2927 respectively). (Sometimes kicking/reconnecting the VPN connection helps refresh the table entries)

Now, when I ping from a device on the 2927's LAN2 to a device on the 2962's LAN6, I get an echo response back. So all is working fine, as expected. 

The 2927 I'm using for this is running FW 4.5.1
The 2962 I'm using for this is running FW 4.4.3.6 (which I am now going to update to FW 4.4.3.7 because of this posting)

So I've just disabled the RIP on the VPN, it did work pinging the GW of my LAN6 on the 2962 from the ping diagnostic tool on the 2927 when RIP was enabled but once the entries in the Routing Table had expired then stopped responding.

One question you may be able to answer, how many unique SA's can you have for each subnet on a L2L profile? There's a fair amount of additional subnets on the 2962 <> 2927 profile. Am I best adding the subnets at each end without SA enablement?

My 2927 is running v4.51
my 2962 is running v4.4.5.1

Edit; just had a nosy at another 2862 connected to the both one 2927 via a L2L and the 2962. Interestingly with RIP (Rx) from the 2962 enabled on the L2L profile between the 2862 and 2962 it has added the LAN6 route it's learn't from the 2962 automatically and the table appears to be constantly refreshed, I can also ping the LAN6 GW from the 2862. I'm wondering if the RIP issue is FW related between the 2962 and 2927 with it not updating? Saying all this, you have obviously made this work without using RIP so I must have done something amiss?

One question you may be able to answer, how many unique SA's can you have for each subnet on a L2L profile? There's a fair amount of additional subnets on the 2962 <> 2927 profile. Am I best adding the subnets at each end without SA enablement?

For the 2862, which is very old now, it is only 32 additional subnets "Remote Networks". When you reach that point and try to add another it pops up with a dialogue windows saying 'Network buffer full!'. You can add all 32 to one L2L Profile or spread them across many, but the total can't exceed 32 on that model. The newer ones, like the 2927 and the 2962 can probably go way higher. I can't say I've ever seen any info on that, max limit, in any of the manuals I've skimmed through.

I don't use the SA option, at all, as this is only necessary for connection to non-DrayTek routers. DrayTek to DrayTek you don't need it.

My 2927 is running v4.51

This has been stable for me, on all 2927 models so far...

my 2962 is running v4.4.5.1

This FW caused me loads of problems, on the 2962, especally with VPN throughput. I had to roll-back to the "stable" 4.4.3.* fork, saying that, after upgrading to the 4.4.3.7 FW release last night, I'm seeing similar slowdown across the VPNs as I did with the 4.4.5.* fork. But I'll persist and hope it smooths itself out, hmmm...

FW 4.4.3.6 was brilliant, and fast/responsive!