DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

IPsec/IKE VPN with Virgin Media Hub (modem mode) - any experience?

  • ctluk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Nov 2024 17:44 #104114 by ctluk
I have a 2865 configured with IPsec/IKE VPN connected via a BT FTTC connection.  Just upgraded to Virgin Media fibre, I've kicked the Virgin Media supplied hub into modem mode, after a couple of reboots that appears to be working fine.  The DrayTek is getting an external IP and traffic is flowing in both directions.  At the same time I've upgraded the firmware of the 2865 to 4.4.5.3_BT, in hindsight I should have tested the VPN before I did that.  Anyway....the issue is now the VPN doesn't work.  I can see it trying to connect in the SYSLOG but it doesn't complete.  On the Smart VPN Client I just get an error "Unknown Error" which isn't very helpful.  DrayDDNS is working fine and I've successfully renewed the LetsEncrypt certificate so I am confident that everything on that side is working.

So the question is, does anyone have a similar setup, either IPsec/IKE or SSL VPN, working OK?  I am trying to decide if the new firmware is to blame or there is something funky with the Virgin media implementation.

Any feedback gratefully received.

P.S. If anyone wants to see the log just shout and I'll post it.  I have also reached out to support so we'll see what they come back with.

Please Log in or Create an account to join the conversation.

More
12 Nov 2024 21:30 #104137 by HodgesanDY
Hi ctluk,

I have many sites running on Virgin Media modems, some business plans and others domestic plans and even both at certain locations.

We have 2862, 2866, 2927, 2962s across these locations and all are running the latest firmware, either official or release candidates.

The 2866 is running 4.4.5.3_rc2 with a Virgin modem with an IPsec IKE LAN to LAN tunnel, in fact all sites have this protocol running. Dial-in user works with IPsec on iPhones and SSL on Windows machines.

Modem mode is the easiest to set up, but it can be done via the modem in “router” mode as well, you just need to enable DMZ and set the IP to the Vigor Router which will allow direct pass-through. You’ll get a 192.168.0.* address shown in the Vigor dashboard for the WAN IP, but if you know the public IP assigned to the Virgin Modem (what is my ip) you can dial straight through to the Vigor using that public IP.

SSL is the easiest method on a Windows machine when dialling in using the Smart VPN Client, any other method is less secure and the IPsec is a PITA to get running with the Smart client, in fact, I have tried so many times and never succeeded, so revert to SSL which I know works well.

Please Log in or Create an account to join the conversation.

  • ctluk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
13 Nov 2024 09:25 #104139 by ctluk
Thanks for the response. I've since switched to SSL which is working.

Please Log in or Create an account to join the conversation.

More
18 Nov 2024 17:19 #104176 by Daelra
 
This is timely. Apologies for stealing the thread but it's so close to my issue I thought it better to ask here. I've been struggling with getting VPN working on a 5x static IP Virgin Business router and a Vigor2927 for a while now.

Trying to get Dial in IKEIPsec or L2TP with IPSec to work but have had no luck at all.

I'm new to Draytek and Virgin routers so working out whether it's a Virgin or Draytek problem has been a problem.

So...
assume
Virgin router has not been touched since we got it so set up for 5 static ips by Virgin
Draytek IP is xxx.xxx.xxx.186
Virgin IP/gateway is xxx.xxx.xxx.185


Virgin Router > BASIC > DMZ, add xxx.xxx.xxx.186?

On Draytek I have
  • VPN and Remote Access >> Remote Access Control
    • Enable IPSec VPN Service
    • Enable L2TP VPN Service
  • VPN and Remote Access >> IPsec General Setup
    • I've put in a Pre-Shared Key (here or can I give dialin users different ones)?
    • Setup a remote Dialin user
    • IPSec Security Method = Basic
  • VPN and Remote Access >> Remote Dial-in User
    • Enable this account ticked
    • IPSecTunnel IKEv1/V2 IKEc2 EAP ticked
    • L2TP with IPSec policy [Must]
    • Added username and password.
    • IKE Auth Method is greyed out so can't add pre-shared key here (Have I done something wrong?)
  • NAT >> Port Redirection
    • UPD500 WAN=ALL, protocol=UDP PubPort=500 SrcI=Any, PrivateIP=xxx.xxx.xxx.186
    • UPD4500 WAN=ALL, protocol=UDP PubPort=4500 SrcI=Any, PrivateIP=xxx.xxx.xxx.186
Anything I'm missing / got wrong?

Ideally, I want something that'll work with a bog standard Windows VPN client but if that cause more pain, then any other suggestions?
 

Please Log in or Create an account to join the conversation.

  • ctluk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
18 Nov 2024 17:29 #104177 by ctluk
First step (apologies if you've already done it) but enable the Web sys log, clear out the logs and then try a VPN connection, that will help identify if the VPN connection request is getting to the DrayTek

Please Log in or Create an account to join the conversation.

More
20 Nov 2024 14:14 - 20 Nov 2024 17:50 #104184 by HodgesanDY
Hi Daelra,

If you have 5x static public IPs, and want to use them, your Virgin modem will need to be in 'Modem Mode'. You won't be able to configure 5 separate public IPs when the Virgin modem is in 'Router Mode'. Seeing as you mentioned 'Virgin Router > BASIC > DMZ, add xxx.xxx.xxx.186?' on your Virgin modem setup, means you must have it in 'Router Mode'; as that function isn't available in 'Modem Mode'.

When you switch the Virgin modem into 'Modem Mode' you will then need to change your WAN setting on the Vigor router to 'Specify an IP address' and enter the details your ISP should have given you (or can supply you if requested).

These details will contain a single public IP (and any additional ones you may have purchased, in your case 4 more), a subnet mask and a gateway address. They may also give you DNS addresses too but you can enter any DNS server address(es) on the internet that you prefer. (See 'DNS Benchmark' tool here )

Once you have entered the 'Specify an IP address' details into the Vigor's WAN setup (WAN >> Internet Access - Static or Dynamic IP) using your first public IP address, you'll see a 'WAN IP Alias' button, this is where you enter the additional public IP's you have purchased. Once this is all setup you can start mapping those additional public IP addresses elsewhere within the Vigor config. The first IP will become the default public IP and the one that most configurations will default to.

On Draytek VPN setup:
  • VPN and Remote Access >> Remote Access Control
    • Enable IPSec VPN Service
    • Enable SSL VPN Service
    • DISABLE L2TP VPN Service
    • Enable WireGuard VPN Service (You shouldn't need to do this but because of poor coding (at time of posting this) you'll need this enabled to de-tick 'WireGuard' in the Dial-in Profile; to allow saving of the Profile, you can disable this later..)
  • VPN and Remote Access >> IPsec General Setup
    • General Pre-Shared Key (Use this key for LAN-to-LANs)
    • XAuth User Pre-Shared Key (Use this key for Dial-in Users (using IPsec)).
    • IPSec Security Method = 'High' only (de-tick AH)
  • VPN and Remote Access >> SSL General Setup
    • Port = 446 (you can leave as 443, but changing to 446 helps prevent clashing with 443 used in other configs) Remember to change SSL to 446 on the VPN Smart Client when doing this.
  • VPN and Remote Access >> Remote Dial-in User
    • Enable this account
    • Idle Timeout  =  -1
    • IPSecTunnel XAuth
    • Add username and password.
    • IKE Auth Method is greyed out so can't add pre-shared key here (This is already set in the above settings page)
    • Netbios Naming Packet = Block (unless you really need it)
    • Multicast via VPN = Block (unless you really need it)
    • Subnet = LAN1 - if only one LAN present, otherwise, specify which LAN subnet you would like that user to be placed on when dialling in, further more, set a static IP for later config use, or leave as un-ticked.
    • Use SSL for Dial-In users on Windows machines using the VPN Smart Client, de-tick IPsec options in this case, set username and password and you're done.
  • NAT >> Port Redirection
    • These settings shouldn't be necessary.

Hopefully I've not missed anything.

 
Last edit: 20 Nov 2024 17:50 by HodgesanDY.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami