Hi,

I have 6 clients with Draytek routers, mainly 2862n's. We're trying to use a VPN tunnel on them to dial in to a Cisco ASA cluster.
The tunnel is IKEv2, IPSEC with 256 AES and SHA, 86400 phase 1 lifetime, 28800 phase 2, PFS enabled, virtual IP mapping used.

All tunnels are stopping working with mainly IKE_RELEASE VPN errors being mailed to me. Some are at random times but most failures seem to coincide with 8 hour periods, which just happens to be 28,800 seconds as chooses for the IKE Phase 2 key lifetime.

What seems to happen is the key expires and won't re-issue correctly to any Draytek on any site, with any ISP. The tunnel shows that it's still up, but nothing will ping through it until it's dropped and re-dialled.

We've tried setting idle timeout to 0 and 300, ping to keep alive is disabled, although they run an application which polls the connection for new messages every 10 seconds, so idle timeout should not be an issue.

All have the latest firmware. Any ideas please folks?

For anyone interested, the issue looks resolved by lowering IKE to V1, and reducing security to ESP, AES256, SHA1, G2, 28,800, 28,800 and no PFS.

A shame really. We bought new routers to meet the IKEv2 standard and they're not capable of a stable connection with a Cisco ASA. We might as well have stuck with the original routers.