A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Replacing some Draytek 2900 routers



 
 
Thread Tools Display Modes
  #1  
Old September 5th 11, 03:42 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 51
Default Replacing some Draytek 2900 routers

I posted this on the seg.co.uk Draytek support site but as usual
nobody responds.

I run a couple of sites. Each one has a 2900Gi router. These are used
for normal internet access, with some port forwarding and some packet
filtering to allow SMTP email delivery only from a small number of
Messageslabs IPs. Both have WIFI enabled.

I also run an IPSEC VPN between them, which was an absolute pig to get
working but we finally did it by following some VPN appnotes on
seg.co.uk. This works most of the time but every so often it hangs and
the router has to be turned off and back on. It looks like a memory
leak or something like that. Curiously, to get it going again it is
the OUTgoing router (the one which dials-out the VPN) which needs to
be power cycled, not the receiving one. Encryption is 256 bit AES.

Both also support "teleworker" VPN remote access. This uses PPTP. I
could never get IPSEC working, and anyway it has to work over GPRS/3G
networks of which far from all support PPTP and none AFAICT support
(or work with) IPSEC. The dial-in is a winXP laptop, using the
built-in VPN feature. This VPN access has similar reliability issues.

To make the VPN stuff work properly, I have installed an SMS-triggered
box which can be used to power cycle the remote site!! This works
well, unsuprisingly, but seems a ridiculous solution.

The ADSL modems are a D-Link at one site and a Draytek one at the
other site.

The ISDN fallback dial-up feature is no longer used. We have an ISDN
PBX and had a special (3rd) number for the dial-up but this was lost a
while ago.

I have considered replacing these 2900s with Cisco boxes, which "just
work" but there is no way I would be able to maintain them. I used to
have some Cisco 803 ISDN routers and the config on those was so
complicated I never understood it, and nobody who did understand it
was around for very long. But I can "manage" the 2900s.

Ideally I would like the teleworker VPN to use HTTPS (port 443)
because that will work on any GPRS/3G network. I do appreciate however
there is no built-in windows support for SSH VPN so I would need some
client program which provides a network port under winXP, to enable
PC/Anywhere to work. OK, I know PCA is cr*p too, but it seems to work
most of the time, and has the features I want like nice file transfer.
The VPN features are solely for PCA use.

SEG do not reply to phone calls, which doesn't look good.

Can anybody recommend a way forward? I see Draytek have products like
the 2830 which can run two ADSL lines concurrently, or run ADSL with
3G backup. Otherwise it seems to do the same stuff, not a port 443 VPN
though.

But most of all, the 2900 does all we need - except for the hanging on
VPN operations so I want that completely fixed. We already have the
latest firmware in the 2900s.

Money is not an issue, within reason. I would happily pay 500 per box
which is 100% reliable.

The 2900s have various other bugs, around the anti-hacking features. I
don't recall the details but if you enabled e.g. the Teardrop attack
stuff, the thing just stopped working. Obviously they never tested
these.

The WIFI in the 2900s also contains some bugs which have come to light
only very recently. If an Iphone4 or an Ipad2 (I don't have any other
IOS devices) connects to the router, it works for a bit and then the
data rate goes very very slow (1% of normal) and if the phone
disconnects it won't reconnect. The router has to be power cycled. I
can't say this is a defect in the 2900 however because these phones do
have subtle issues with WIFI, in the way they auto-switch between
GPRS/3G and WIFI and sometimes decide neither is available. But
basically the device crashes the WIFI subsystem in the router.

I would appreciate any tips. I would also pay (Sussex) somebody for
setting up an alternative. But it would have to be rock solid, and
maintainable by me via some sort of GUI.

For all I know, all Draytek routers have these bugs.
  #2  
Old September 5th 11, 03:59 PM posted to uk.telecom.broadband
Andy Burns
external usenet poster
 
Posts: 486
Default Replacing some Draytek 2900 routers

Peter wrote:

I run a couple of sites. Each one has a 2900Gi router.
I also run an IPSEC VPN between them, which was an absolute pig to get
working
Ideally I would like the teleworker VPN to use HTTPS (port 443)
because that will work on any GPRS/3G network.
Can anybody recommend a way forward?


openVPN can work over either UDP (preferred) or HTTPS (useful in cases
like yours) client and server ends can be Linux or Windows, setup isn't
really kid gloves, but it far from being a pig, and there are plenty of
guides out there.

Not be ideal unless you have an always-on PC at each site.
  #3  
Old September 5th 11, 04:06 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 51
Default Replacing some Draytek 2900 routers


Andy Burns wrote:

Peter wrote:

I run a couple of sites. Each one has a 2900Gi router.
I also run an IPSEC VPN between them, which was an absolute pig to get
working
Ideally I would like the teleworker VPN to use HTTPS (port 443)
because that will work on any GPRS/3G network.
Can anybody recommend a way forward?


openVPN can work over either UDP (preferred) or HTTPS (useful in cases
like yours) client and server ends can be Linux or Windows, setup isn't
really kid gloves, but it far from being a pig, and there are plenty of
guides out there.

Not be ideal unless you have an always-on PC at each site.


That's right. I have been aware of various 443 VPN solutions which
would work but all of them run on a unix server.

We actually do have a FreeBSD box at each site but I don't want to put
*anything* on there which isn't there already.

Basically they are just email server + backup, receiving emails from
Messagelabs and providing a POP box, with webmail. Prior to ML, they
used to run an increasingly complicated TMDA-based antispam system
which eventually got out of hand.

So for the VPN I want standalone boxes.
  #4  
Old September 5th 11, 09:28 PM posted to uk.telecom.broadband
Mark Ingle
external usenet poster
 
Posts: 55
Default Replacing some Draytek 2900 routers

Peter wrote:

I have considered replacing these 2900s with Cisco boxes, which "just
work" but there is no way I would be able to maintain them. I used to
have some Cisco 803 ISDN routers and the config on those was so
complicated I never understood it, and nobody who did understand it
was around for very long. But I can "manage" the 2900s.

Doesn't really help you, but we had Draytek routers at work which were
on the whole reliable but did crash more often than one would have
liked. They were replaced with Cisco 1800 routers (with the ADSL module)
which have been much much much better (probably about ten times less
crashes!). In our case the serivce is managed so the routers are not
configured by us. Because of this, I've not been able to have a look at
the interface on the 1800 but on our other newer Cisco ASA devices, they
are much more user friendly with the web based config.
  #5  
Old September 5th 11, 09:28 PM posted to uk.telecom.broadband
alexd
external usenet poster
 
Posts: 1,765
Default Replacing some Draytek 2900 routers

Meanwhile, at the uk.telecom.broadband Job Justification Hearings, Peter
chose the tried and tested strategy of:

I have considered replacing these 2900s with Cisco boxes, which "just
work" but there is no way I would be able to maintain them.


The very fact you're posting this question here says to me that an IOS
router is /not/ a good fit for you.

Money is not an issue, within reason. I would happily pay 500 per box
which is 100% reliable.


I think you're being generous. About 250 will get you a Sonicwall TZ100
which supports SSL VPN [one session at a time, more added with licenses].
Ethernet interfaces only so you'll need to re-purpose your existing DSL
routers. The VPN client installer is stored on firewall, which minimises the
faff of installing it. Supports up to four WANs, but not 3G, which is
available on the TZ200. Wireless N adds more cost to the firewall, but you
may find a discrete access point is cheaper and a better fit [ie if the
firewall's going in the big metal server cabinet, the wireless might not be
all that useful in there...] if you don't need clever wireless features like
limited wirless access for guests.

--
http://ale.cx/ (AIM:troffasky) )
20:11:59 up 13 days, 23:46, 1 user, load average: 0.13, 0.13, 0.20
"People believe any quote they read on the internet
if it fits their preconceived notions." - Martin Luther King

  #6  
Old September 5th 11, 09:44 PM posted to uk.telecom.broadband
The Natural Philosopher
external usenet poster
 
Posts: 2,728
Default Replacing some Draytek 2900 routers

Mark Ingle wrote:
Peter wrote:

I have considered replacing these 2900s with Cisco boxes, which "just
work" but there is no way I would be able to maintain them. I used to
have some Cisco 803 ISDN routers and the config on those was so
complicated I never understood it, and nobody who did understand it
was around for very long. But I can "manage" the 2900s.

Doesn't really help you, but we had Draytek routers at work which were
on the whole reliable but did crash more often than one would have
liked. They were replaced with Cisco 1800 routers (with the ADSL module)
which have been much much much better (probably about ten times less
crashes!). In our case the serivce is managed so the routers are not
configured by us. Because of this, I've not been able to have a look at
the interface on the 1800 but on our other newer Cisco ASA devices, they
are much more user friendly with the web based config.


I have never ever had a problem I couldn't solve on a Cisco. Eventually.
Sometimes with the help of the guy who wrote the software.


I would say that the pain of getting one to work is less than
supporting other makes that don't, if the money you spend on buying them
is not too much of an issue.

I would have nothing BUT Cisco if I could justify the cost.
  #7  
Old September 5th 11, 10:24 PM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default Replacing some Draytek 2900 routers

Peter wrote:
I posted this on the seg.co.uk Draytek support site but as usual
nobody responds.

I run a couple of sites. Each one has a 2900Gi router. These are used
for normal internet access, with some port forwarding and some packet
filtering to allow SMTP email delivery only from a small number of
Messageslabs IPs. Both have WIFI enabled.

I also run an IPSEC VPN between them, which was an absolute pig to get
working but we finally did it by following some VPN appnotes on
seg.co.uk. This works most of the time but every so often it hangs and
the router has to be turned off and back on. It looks like a memory
leak or something like that. Curiously, to get it going again it is
the OUTgoing router (the one which dials-out the VPN) which needs to
be power cycled, not the receiving one. Encryption is 256 bit AES.

Both also support "teleworker" VPN remote access. This uses PPTP. I
could never get IPSEC working, and anyway it has to work over GPRS/3G
networks of which far from all support PPTP and none AFAICT support
(or work with) IPSEC. The dial-in is a winXP laptop, using the
built-in VPN feature. This VPN access has similar reliability issues.

To make the VPN stuff work properly, I have installed an SMS-triggered
box which can be used to power cycle the remote site!! This works
well, unsuprisingly, but seems a ridiculous solution.

The ADSL modems are a D-Link at one site and a Draytek one at the
other site.

The ISDN fallback dial-up feature is no longer used. We have an ISDN
PBX and had a special (3rd) number for the dial-up but this was lost a
while ago.

I have considered replacing these 2900s with Cisco boxes, which "just
work" but there is no way I would be able to maintain them. I used to
have some Cisco 803 ISDN routers and the config on those was so
complicated I never understood it, and nobody who did understand it
was around for very long. But I can "manage" the 2900s.

Ideally I would like the teleworker VPN to use HTTPS (port 443)
because that will work on any GPRS/3G network. I do appreciate however
there is no built-in windows support for SSH VPN so I would need some
client program which provides a network port under winXP, to enable
PC/Anywhere to work. OK, I know PCA is cr*p too, but it seems to work
most of the time, and has the features I want like nice file transfer.
The VPN features are solely for PCA use.

SEG do not reply to phone calls, which doesn't look good.

Can anybody recommend a way forward? I see Draytek have products like
the 2830 which can run two ADSL lines concurrently, or run ADSL with
3G backup. Otherwise it seems to do the same stuff, not a port 443 VPN
though.

But most of all, the 2900 does all we need - except for the hanging on
VPN operations so I want that completely fixed. We already have the
latest firmware in the 2900s.

Money is not an issue, within reason. I would happily pay 500 per box
which is 100% reliable.

The 2900s have various other bugs, around the anti-hacking features. I
don't recall the details but if you enabled e.g. the Teardrop attack
stuff, the thing just stopped working. Obviously they never tested
these.

The WIFI in the 2900s also contains some bugs which have come to light
only very recently. If an Iphone4 or an Ipad2 (I don't have any other
IOS devices) connects to the router, it works for a bit and then the
data rate goes very very slow (1% of normal) and if the phone
disconnects it won't reconnect. The router has to be power cycled. I
can't say this is a defect in the 2900 however because these phones do
have subtle issues with WIFI, in the way they auto-switch between
GPRS/3G and WIFI and sometimes decide neither is available. But
basically the device crashes the WIFI subsystem in the router.

I would appreciate any tips. I would also pay (Sussex) somebody for
setting up an alternative. But it would have to be rock solid, and
maintainable by me via some sort of GUI.

For all I know, all Draytek routers have these bugs.


Curious.

I've used all versions of Vigor routers since the 2600 and never had any
problems with setting up a VPN and getting reliable operation.

But:

1) Ideally, you must have a static IP address at both ends of the VPN.
Exceptions to this require some manual intervention.

2) Configure the routers so you have remote management. You must have a
static IP address at your management location to achieve this.

If ADSL sync fails or the PPP session gets stuck you will have to
manually reboot the remote router; but I've only seen this where
lightning strikes cause the local mains to twitch. But it has happened
with every ISP I've used and every router I've used, so in your
application this is why you need the SMS power resetter. Even that
isn't reliable - no phone operator I've talked to will guarantee the
(timely) delivery of an SMS message. Is it in fact the lack of internet
connection that causes your VPN to fail? You must distinguish between
the two.

3) Where possible I use the LAN-to-LAN option. Depending on the
application I might use dial-in/dial-out or both call directions. IPSec
tunnel only; this forces the IKE Pre-shared key. Security method =
High(ESP), AES with Authentication. I specify the remote network IP
range + mask and the local network IP (the local router itself) and
mask. RIP off. Route to remote subnet.

The VPN can be brought up by any network traffic for an IP address at
the other end. Where I want the VPN to be nailed-up I set it one-way
only and add the "always on" and "ping to keepalive" setting.

4) Given that I have a static address, if I have to connect to a client
with a dynamic address I set my router to dial-out only and equip the
remote client with a DDNS setting. At the client end his router is
configured as dial-in only. It follows that I can bring up the VPN but
he cannot.

You cannot make a LAN-to-LAN VPN if both ends have dynamic addresses.

The problem with this is that quite often network traffic is not enough
to bring up the VPN. I find it necessary to open a browser on the
management of the remote router - this is sufficient, don't even have to
log in - ping something on the remote network - then close the browser.

The LAN-to-LAN VPN is very sensitive to the transit time from one site
to another. If the ADSL or cable service is very congested the VPN will
drop. Changing to a professional ISP usually resolves this.

------------

I tried these settings with a satellite link (ping times over half a
second!) - total failure. However - use PPTP (simple username &
password, VJ compression, set remote site to dial-out and my management
site for dial-in, configure as always-on. If the satellite connection
fails (which it does, far more frequently than you would blame on power
failures at the remote site - a quarry in the middle of nowhere) the
remote router reconnects to mine as soon as the satellite link comes up.

Using this VPN is a different matter - it does require real patience -
but it saves a 50-mile trip to the site!

The DDNS presents a problem - the satallite IP address doesn't actually
change, but the supplier says it is dynamic. So the DDNS supplier sends
reqular emails warning that the service hasn't been used, which have to
be responded to. Paying for a DDNS service would solve that.

------------

These LAN-to-LAN VPNs work from any model of Vigor router to any other,
provided that they have the current firmware.

When setting up a new VPN I have sometimes found it necessary to reboot
one or other router - not often enough to form a view as to which
actually resolves the problem.

If I can get a management connection to the router I can always get the
VPN up - even where the VPN is between sites A and B and I am at site C
- but as above, if the address (of A or B) is resolved through DDNS then
it may be necessary at C to open a browser on either router A or router B.

------------

How are your routers connected to the internet? You mentioned 3G/GPRS -
in my experience this won't work with IPSec, but (as with my satellite
link) might work with PPTP. There are 3G services which assign static
IP addresses.

My remote management is done either with VNC or Remote Desktop - or
simply with a browser where the remote device is a printer or the like
with a web management page. Telnet will also work - the beauty of the
LAN-to-LAN configuration is that it connects your LAN to the remote LAN,
so anything that would work locally will work to the remote site. All
devices must have the router set as the default gateway.

A Windows PC at one site connected to a Windows Domain Controller at
another site must have its DNS pointed to the DC. This is a potential
performance bottleneck and I haven't found a good solution to it ....

The remote LAN's IP address must of course be different to your local
one; and most older Vigor routers only support 32 concurrent LAN-LAN
profiles. I'm running out ....



-- Graham J

  #8  
Old September 5th 11, 10:33 PM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default Replacing some Draytek 2900 routers

Graham J wrote:
[snip]

One other point:

At one end of the VPN I try to have an always-on computer which
regularly pings the other router to confirm that the VPN is up - and
emails me if it isn't. Checking once per hour is usually good enough to
allow me to forestall complaints from the customer, but your
circumstances might vary.

--
Graham J
  #9  
Old September 5th 11, 11:49 PM posted to uk.telecom.broadband
Peter
external usenet poster
 
Posts: 330
Default Replacing some Draytek 2900 routers


Graham J [email protected] wrote

Many thanks for your comments everyone.

Curious.

I've used all versions of Vigor routers since the 2600 and never had any
problems with setting up a VPN and getting reliable operation.

But:

1) Ideally, you must have a static IP address at both ends of the VPN.
Exceptions to this require some manual intervention.


Have that.

2) Configure the routers so you have remote management. You must have a
static IP address at your management location to achieve this.


The routers have external admin ports but they are disabled. One can
access the router config only from one of the PCs on the internal LAN;
I am happy with that.

Oddly enough, the 2900 still responds to port 443 packets on its admin
port, even when remote management is disabled, facilitating dictionary
attacks (which get nowhere but "somebody" out there keeps running
them) One way around this we found is to port-forward port 443
packets to an internal IP which has nothing listening on it. Draytek
never fixed this, despite it having been reported.

If ADSL sync fails or the PPP session gets stuck you will have to
manually reboot the remote router; but I've only seen this where
lightning strikes cause the local mains to twitch. But it has happened
with every ISP I've used and every router I've used, so in your
application this is why you need the SMS power resetter. Even that
isn't reliable - no phone operator I've talked to will guarantee the
(timely) delivery of an SMS message. Is it in fact the lack of internet
connection that causes your VPN to fail? You must distinguish between
the two.


I am aware that if the ADSL is interrupted then the router may need
resetting, and that alone is a good reason for the SMS-triggered
remote power cycle facility, but I am sure this is not the cause of
the vast majority of the very regular router crashes during VPN usage.

3) Where possible I use the LAN-to-LAN option. Depending on the
application I might use dial-in/dial-out or both call directions. IPSec
tunnel only; this forces the IKE Pre-shared key. Security method =
High(ESP), AES with Authentication. I specify the remote network IP
range + mask and the local network IP (the local router itself) and
mask. RIP off. Route to remote subnet.


I think this is what I have, though the config was opaque to me.

The VPN can be brought up by any network traffic for an IP address at
the other end. Where I want the VPN to be nailed-up I set it one-way
only and add the "always on" and "ping to keepalive" setting.


The VPN sets up in a few secs so I am not keeping it alive.

4) Given that I have a static address, if I have to connect to a client
with a dynamic address I set my router to dial-out only and equip the
remote client with a DDNS setting. At the client end his router is
configured as dial-in only. It follows that I can bring up the VPN but
he cannot.

You cannot make a LAN-to-LAN VPN if both ends have dynamic addresses.

The problem with this is that quite often network traffic is not enough
to bring up the VPN. I find it necessary to open a browser on the
management of the remote router - this is sufficient, don't even have to
log in - ping something on the remote network - then close the browser.

The LAN-to-LAN VPN is very sensitive to the transit time from one site
to another. If the ADSL or cable service is very congested the VPN will
drop. Changing to a professional ISP usually resolves this.


Interesting. I wonder if that's it. One is Eclipse and the other is
ZEN. ZEN is the better of the two but I can't have the same ISP for
both locations. But both ADSL services come off the same (rural)
exchange; the sites are only 2 miles apart.

------------

I tried these settings with a satellite link (ping times over half a
second!) - total failure. However - use PPTP (simple username &
password, VJ compression, set remote site to dial-out and my management
site for dial-in, configure as always-on. If the satellite connection
fails (which it does, far more frequently than you would blame on power
failures at the remote site - a quarry in the middle of nowhere) the
remote router reconnects to mine as soon as the satellite link comes up.

Using this VPN is a different matter - it does require real patience -
but it saves a 50-mile trip to the site!

The DDNS presents a problem - the satallite IP address doesn't actually
change, but the supplier says it is dynamic. So the DDNS supplier sends
reqular emails warning that the service hasn't been used, which have to
be responded to. Paying for a DDNS service would solve that.

------------

These LAN-to-LAN VPNs work from any model of Vigor router to any other,
provided that they have the current firmware.

When setting up a new VPN I have sometimes found it necessary to reboot
one or other router - not often enough to form a view as to which
actually resolves the problem.

If I can get a management connection to the router I can always get the
VPN up - even where the VPN is between sites A and B and I am at site C
- but as above, if the address (of A or B) is resolved through DDNS then
it may be necessary at C to open a browser on either router A or router B.

------------

How are your routers connected to the internet? You mentioned 3G/GPRS -
in my experience this won't work with IPSec, but (as with my satellite
link) might work with PPTP. There are 3G services which assign static
IP addresses.


One has a D-link something-300 modem (now quite old but once very
popular) and the other has a Draytek Vigor 120, but used to have a
D-link before that.

I am not using 3G fallback at all at present.

My remote management is done either with VNC or Remote Desktop - or
simply with a browser where the remote device is a printer or the like
with a web management page. Telnet will also work - the beauty of the
LAN-to-LAN configuration is that it connects your LAN to the remote LAN,
so anything that would work locally will work to the remote site. All
devices must have the router set as the default gateway.

A Windows PC at one site connected to a Windows Domain Controller at
another site must have its DNS pointed to the DC. This is a potential
performance bottleneck and I haven't found a good solution to it ....

The remote LAN's IP address must of course be different to your local
one; and most older Vigor routers only support 32 concurrent LAN-LAN
profiles. I'm running out ....


I think none of this is an issue, but the VPN crashing (and the WIFI
crashing with Apple clients) remain.

Good point in another post about using a separate WIFI AP... I have a
WRT54GC at home, used this way. One can also set up port range
blocking in that, and blocking ports 138 etc stops windoze networking
working which can be very handy because visitors can use the WIFI but
can't even see your PCs.
  #10  
Old September 6th 11, 10:11 AM posted to uk.telecom.broadband
Graham J
external usenet poster
 
Posts: 620
Default Replacing some Draytek 2900 routers

Peter wrote:

Graham [email protected] wrote

Many thanks for your comments everyone.

Curious.

I've used all versions of Vigor routers since the 2600 and never had any
problems with setting up a VPN and getting reliable operation.

But:

1) Ideally, you must have a static IP address at both ends of the VPN.
Exceptions to this require some manual intervention.


Have that.

2) Configure the routers so you have remote management. You must have a
static IP address at your management location to achieve this.


The routers have external admin ports but they are disabled. One can
access the router config only from one of the PCs on the internal LAN;
I am happy with that.


Why do you do this? Remote admin from a static IP address would seem to
be secure enough ...

Oddly enough, the 2900 still responds to port 443 packets on its admin
port, even when remote management is disabled, facilitating dictionary
attacks (which get nowhere but "somebody" out there keeps running
them) One way around this we found is to port-forward port 443
packets to an internal IP which has nothing listening on it. Draytek
never fixed this, despite it having been reported.

If ADSL sync fails or the PPP session gets stuck you will have to
manually reboot the remote router; but I've only seen this where
lightning strikes cause the local mains to twitch. But it has happened
with every ISP I've used and every router I've used, so in your
application this is why you need the SMS power resetter. Even that
isn't reliable - no phone operator I've talked to will guarantee the
(timely) delivery of an SMS message. Is it in fact the lack of internet
connection that causes your VPN to fail? You must distinguish between
the two.


I am aware that if the ADSL is interrupted then the router may need
resetting, and that alone is a good reason for the SMS-triggered
remote power cycle facility, but I am sure this is not the cause of
the vast majority of the very regular router crashes during VPN usage.


Why are you sure? Without either being at the site or having remote
management access you don't know. You should be able to demonstrate
that the ADSL connection is good before worrying about the VPN ...

3) Where possible I use the LAN-to-LAN option. Depending on the
application I might use dial-in/dial-out or both call directions. IPSec
tunnel only; this forces the IKE Pre-shared key. Security method =
High(ESP), AES with Authentication. I specify the remote network IP
range + mask and the local network IP (the local router itself) and
mask. RIP off. Route to remote subnet.


I think this is what I have, though the config was opaque to me.

The VPN can be brought up by any network traffic for an IP address at
the other end. Where I want the VPN to be nailed-up I set it one-way
only and add the "always on" and "ping to keepalive" setting.


The VPN sets up in a few secs so I am not keeping it alive.

4) Given that I have a static address, if I have to connect to a client
with a dynamic address I set my router to dial-out only and equip the
remote client with a DDNS setting. At the client end his router is
configured as dial-in only. It follows that I can bring up the VPN but
he cannot.

You cannot make a LAN-to-LAN VPN if both ends have dynamic addresses.

The problem with this is that quite often network traffic is not enough
to bring up the VPN. I find it necessary to open a browser on the
management of the remote router - this is sufficient, don't even have to
log in - ping something on the remote network - then close the browser.

The LAN-to-LAN VPN is very sensitive to the transit time from one site
to another. If the ADSL or cable service is very congested the VPN will
drop. Changing to a professional ISP usually resolves this.


Interesting. I wonder if that's it. One is Eclipse and the other is
ZEN. ZEN is the better of the two but I can't have the same ISP for
both locations. But both ADSL services come off the same (rural)
exchange; the sites are only 2 miles apart.


Why can't you have the same ISP at both locations?

If they are on the same exchange, have you thought about a LES10 or
similar link between the two sites? Do they actually need an internet
connection? See for example:

http://www.westlake.co.uk/SHDS_LES10_LES100_LES1000.htm

[snip]

Good point in another post about using a separate WIFI AP... I have a
WRT54GC at home, used this way. One can also set up port range
blocking in that, and blocking ports 138 etc stops windoze networking
working which can be very handy because visitors can use the WIFI but
can't even see your PCs.


I try never to use wireless - I don't see it as a professional solution
to a business problem.

Having said that I do support two separate point-to-point wireless links
each over about 2km, using Tranzeo kit. In each case the internet end
has a static IP address and remote management of a Vigor router, so I
monitor the state of the wirless link on a once-a-minute basis. So far
every failure I've seen in about 5 years has been when the mains power
has been cut.

--
Graham J
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Draytek 2900 firmware bug [email protected] uk.telecom.broadband (UK broadband) 3 November 4th 07 06:25 PM
Draytek Vigor 2900 Jono uk.telecom.voip (UK VOIP) 3 January 9th 06 11:01 AM
Draytek 2900 Firmware 2.5.6 - VOIP Settings? John Geddes uk.telecom.voip (UK VOIP) 3 August 7th 05 03:05 AM
4 x VOIP: Sipura-2000 behind Draytek 2900 John Geddes uk.telecom.voip (UK VOIP) 0 August 6th 05 07:40 PM
Draytek 2900 router exposes its config to the outside Peter M uk.telecom.broadband (UK broadband) 1 November 15th 04 06:28 PM


All times are GMT +1. The time now is 01:21 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.