Hi All,

Currently we have a Draytek 2900 router (via a single NAT'd IP address) and run various types (Cisco, Nortel etc) of IP-Sec based VPN clients (using pass though) behind the firewall to provide remote access to our customers.

We would like if possible to also be able to set IP-Sec based Site to Site VPN's where customers request it so no client software is required. Am I correct in thinking that this is not possible with our single box solution as IP-Sec traffic is either passed through or not...?

Would it perhaps be possible to introduce a VPN server behind the firewall (in a DMZ?) to support the site to site VPN's without interfering with the existing client to site VPN's we already have running via pass-through behind the firewall.

Any advice/experiences would be most welcome.

Regards,

David

I do not know the specs of the 2900, but if you can create multiple lan-lan IPSEC tunnels, then it should do what you want.

However, each locations must be of a separate IP address subnet on their LAN. The LAN-LAN tunnel set are setup, and then an IP route is setup to go over the tunnel.

If anyone knows different, please correct me.

john's right. you need to make sure your remote site is on a different subnet. if not, you will have to make a change to the network at one site. then its as simple as making an ipsec site to site vpn which will be transparent to the end users.
you can then use an ipsec/pptp client for mobile devices that are outside the lan subnets. drayteks will perform this with ease.

Just got round to testing this and am having little success. I'm testing with a Draytek 2820 running 3.3.3_232201. The details I've been given to connect with are:-

IP-Sec: Site to Site
Peer Gateway IP: A public IP
Pre-shared Key: As agreed

Phase 1
Encryption: AES-256
Hash : SHA1
Group: DH2
Lifetime : 1440 (minutes)

Phase 2
Encryption: AES-256
Hash : SHA1
Group: DH2
Lifetime : 3600 Secs

I have set this up as follows:-

VPN and Remote Access >> LAN to LAN
Call Direction : Dial Out

Dial Out Settings
Type: IPSec Tunnel
Server IP/Host Name: Peer Gateway IP as shown above

IKE Authentication Method
Pre-Shared Key : key as agreed above

IPSec Security Method
High(ESP): AES With Authentication

Advanced
IKE phase 1 mode : Main Mode
IKE phase 1 proposal : AES256_SHA1_G2
IKE phase 1 key lifetime : 86,400
IKE phase 2 key lifetime : 3600
Perfect Forward Secret : No
Local ID :

TCP/IP Network Settings
My WAN IP : 0.0.0.0
Remote Gateway IP : Peer Gateway IP as shown above
Remote Network IP : IP of the server we want to connect to
Remote Network Mask : 255.255.255.255
RIP Direction: Disable
From 1st subnet : Route

If we open up a connection via RDP to the Remote Network IP, the VPN Log using syslog, shows:-

Dialing Node(Name): Peer Gateway IP as shown above

And that is it, nothing else gets written to the log. The VPN hardware I'm connecting to is a Checkpoint Firewall apparently. I suspect a problem with the Remote Network IP and mask, but I'm entering the values I've been given. Any suggestions would be most welcome.

Regards,

David