In this article we will be looking at 10 of the most common mistakes people make when trying to set up and establish VPN connections to work remotely or to share network resources over multiple sites.

Remote workers will usually use a Dial-in VPN connection where they run VPN client software on their PC or handheld device to establish a connection to the VPN server at the head office so they can access the company resources.

Site to site VPN connections are known as LAN to LAN VPN connections and this allows all staff at one site to access the resources of a branch office over a single connection. Here we have the router at one site set up as the VPN client which then connects to the router at the remote site which is the VPN server.

Dial-in VPN Connections

1: Trying to Connect to an Invalid IP Address

When setting up your VPN client on your PC, you will need to specify the destination IP address or domain name. This will need to point to a valid public IP address.

If the destination router is located behind a firewall or NAT device which is the case for 3G/4G LTE connections, the router will be allocated a private IP address which cannot be accessed directly from the Internet even though DDNS shows a public IP address.

In the case where DDNS is configured to display the router private IP WAN address as shown in the image below, this will not be seen on the Internet since private IP addresses are not routable on the public network. This also will not allow a dial-in VPN client connection to be established.

2: Smart VPN app unable to reopen after initial connection

In some circumstances, the Smart VPN app does not reopen if it has been disconnected or Internet drops out. To resolve this, do the following:

  • Click on “Show hidden icons” button (1)
  • Click on the SmartVPN icon (2)
  • Click on Connect (3)

The Smart VPN screen will now appear on the desktop.

3: SSL VPN username/password error

Sometimes when you use a Smart VPN client to connect to the PN server, a message “Access denied because username and/or password is invalid” shows up even though passwords match.

Solution: Ensure that your username and password match exactly using the original upper and lower characters. The username and password are both case sensitive.

In addition, the username cannot contain any of these special characters: ‘ ” \.

 

4:  Unable to add dial-in user profiles in Vigor2960/3900

Adding user profiles for dial-in VPN users in the Vigor3900 or Vigor2960 cannot be saved.

This is caused by invalid characters being used for the passwords in the user profiles.

DrayTek products use passwords for a variety of applications and there is some variation to be aware of between applications and models. Unless otherwise stated, the following characters are allowed:

a-z, A-Z, 0-9, : . – _ ^ \ / @ $ # % & ! ( ) { } [ ]

These characters are not allowed:

” ‘ , < > * + — (EM Dash)

Full details in our application note:

https://faq.draytek.com.au/2020/07/08/password-requirements-for-draytek-devices/

 


LAN to LAN VPN Connections

5: Nord VPN Connectivity issues

A couple of common causes for Nord VPN not connecting are due to password length or MTU size:

  1. Ensure password length is less than 15 characters
  2. Check WAN MTU size. Default value of 1500 is too large when using PPoE authentication. Try lowering value to 1492 or lower.

Some tools to use to find a suitable MTU size is available in the application note:

https://faq.draytek.com.au/2020/06/24/tools-available-to-detect-mtu-size/

 

You can also adjust the VPN MSS size via the telnet command “vpn mss”

mss set <Type> <TCP maximum segment size range>                                                                                 

<Type> : 1->PPTP ; 2->L2TP ; 3->IPsec ; 4->L2TP over IPsec ; 5->GRE over IPsec;  6->SSL Tunnel                        

<TCP maximum segment size range>:                                                                                            

PPTP  : 1 ~ 1412                                                                                                      

 L2TP  : 1 ~ 1408                                                                                                      

 IPsec : 1 ~ 1381                                                                                                       

L2TP over IPsec : 1 ~ 1361                                                                                            

 GRE over IPsec  : 1 ~ 1365                                                                                             

SSL Tunnel : 1 ~ 1360   

 

6: IPsec VPN not Always Connecting (Using Common Pre-Shared keys)

One common mistake when setting up multiple IPsec LAN to LAN VPN tunnels is using the same pre-shared key for all VPN profiles. An incoming IPsec VPN connection uses the pre-shared key to authenticate the connection and if multiple profiles use the same pre-shared key there could be some contention for the same profile from two or more incoming connections. This leads to unpredictable results with some connections being dropped or unable to be established.

Solution: Use unique pre-shared keys for each VPN profile.

 

7: Unable to setup VPN connections to VPN server with a Private WAN IP Address

The VPN server (Router) will need to have a public IP address for its WAN connection. Private IP addresses are not routable over the Internet so the VPN client will not be able to find a path to the server. VPN clients with a private IP address will be able to make an outgoing VPN connection.

Private WAN IP addresses are usually encountered when a connection to the Internet is made over a LTE modem. However, some ISP’s will provide a public IP address on request.

A solution when both the VPN server and VPN client have private IP addresses is to use the VPN Matcher service developed by DrayTek. More details are available in the application note:

https://www.draytek.com/support/knowledge-base/6124

 

8: Unable to setup more than 2 VPN connections on a Router

The VPN tunnel limit in DrayTek routers depends on the router model being used.

Routers including: Vigor21xx series, Vigor27xx series, Vigor2620L and Vigor LTE200 support only 2 concurrent VPN tunnels.

A common mistake is purchasing a wrong router model when more than 2 concurrent VPN tunnels are required.

Details of the number of VPN tunnels supported for each router model is available in the router comparison chart at: https://www.draytek.com.au/products/router-comparison-chart/

 

9: Explanation of LAN-to-LAN VPN Timeout Values

There is often some confusion on what values to use for the VPN profile Idle Timeout settings and the meaning of each value.  This includes settings such as:

  • Always on
  • 0: Never drop VPN
  • Value greater than 0

Ideal settings for VPN server and client are:

  • Server side(dial-in) – set timeout value to 0
  • Client Side(dial-out) – set timeout value to” always on”

Using these settings, the server will never drop the VPN connection.  If there is an event that causes the VPN tunnel to drop, then the client will always re-connect.

The VPN should be very stable.

This is explained in this knowledge base article: https://faq.draytek.com.au/2019/08/30/explanations-of-lan-to-lan-vpn-timeout-values/

 

10: Allow pass inbound fragmented large packets (Nord VPN)

Vigor routers can establish a VPN tunnel to NordVPN with IKEv2 EAP protocol. Refer to this article for more information.

https://www.draytek.com/support/knowledge-base/5371

It has been reported that the VPN tunnel can’t be connected to NordVPN when “Allow pass inbound fragmented …” is disabled.

NordVPN sends large data packets of 2760 bytes, which need to be fragmented.

When “Allow pass inbound fragmented large packets (required for certain games and streaming)” is unchecked on Firewall General Setup, the fragmented packets must be reassembled before it’s processed. The largest size that can be handled by a Vigor router is 2282 bytes. Any larger packets (from NordVPN) will be dropped.

 

This issue can be checked by examining the router syslog and check for entries such as this:

“2019-09-02 09:00:23”, “## IKEv2 DBG : Out CP : request new virtual ip “

“2019-09-02 09:00:35”, “[IPSEC][L2L][1:NordVPN][@149.27.102.82] IKE link timeout: state linking”

“2019-09-02 09:00:35”, “## IKEv2 DBG : INFORMATIONAL OUT : Sending IKEv2 Delete IKE SA request, deleting #138688”

 

To overcome this, select the option “Allow pass inbound fragmented large packets (required for certain games and streaming)” in the [Firewall] > [General Setup] page.

Hopefully your VPN problems will be fixed with one of these suggestions. If you still have issues we are working every workday to support you at https://support.i-lan.com.au/portal/en/home .


 

 

Learn More

 


 

 

Learn More