Draytek IPsec VPN tunnel

Posted on 2010-11-25
Medium Priority
Last Modified: 2012-05-10
I have a following problem, and would like to know if anybody can point me into a right direction to get a solutions for this.

I have a Draytek  2820 Vigor modem/router that I use as a VPN gateway to a LAN that consists of  Windows 2008 R2 server which is a DC and a file server and DNS and DHCP server. The rest of the LAN is couple of PCs that are part of the domain. All the other users, some 10 laptops, are very mobile and are not part of the domain, as these are usually personal laptops.  They connect to the network once they are in the office, and there is no problem accessing shares on the fileserver, as the DNS server IP address is given to each laptop as it connects.

The problem arises when these mobile user connect via Draytek Smart VPN client (Ver If the user connects via “IPsec  Tunnel” option, I can ping the file server, or any other PC on the LAN, but I cannot actually connect to the share via its name (or to any PC via its name). Basically the client does not know about the LANs DNS server.

Is there some way to let the client connected via the VPN IPsec Tunnel know the IP of the LAN’s DNS server so that the client can resolve the share names? The only way around it I found, that is quite cumbersome is to map all the shares into the HOST file, but I would rather not do that.

The reason I do not want to use the PPTP option is that I do not want to know the users passwords for the VPN connections.

Another problem that I have found with the Draytek’s Smart VPN Client (sVPNc) is that even if you put in wrong credentials and IP address (while connecting as IPsec Tunnel), the client will tell you that it is connected even though there is no connection (you might not even have internet access and the sVPNc will happily tell you that you are connected) .  Not very useful for the clients, as they believe to be connected, but cannot access anything as obviously there is not connection what so ever.

Thank you
Question by:ian-pearce
  • 4
  • 3

Expert Comment

ID: 34216759
You cannot configure remote dns settings in the draytek vpn software. However you can do so with the native windows vpn client.
When using the draytek smart vpn it creates another fdialup conenction. Take a look in network connections.
You can then modify this connection in the networking tab to include specific dnd settings.

Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers.

If non of the above works you could always use a host file or a simple batch file that does the following to each server

nbtstat -a serverip

this will request netbios from each server it is run for. It will take a minute to run if you have a few ips.

If the above isnt good enough (with having to run scripts)  you could enable dhcp relay (lan settings on the draytek) to your internal server and get the vpn clients to use pptp or l2tp and it will then pickup dns automatically from the dhcp server.
Hope all this helps

Expert Comment

ID: 34216840
sorry I didnt see the bit about the pptp password. (my eyes read one thing and my brain saw something else)

If you are concerned about usese connecting from other machines etc after using a simple tool to get their pptp password. You could always setup peer ID's and certificates etc. If you install the certificate in a non-exportable format onto their pc they couldnt 'tinkle' with anything.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!


Author Comment

ID: 34227589
Thanks for your input.
I have gone through those documents already, unfortunately they do not solve my problem as they describe LAN to LAN configuration.
I am not using LAN to LAN VPN (I have not draytek on both sides, and sometimes the client is not even on a fixed LAN, he just used USB modem to connect). Thus I need to use the VPN smart client.

Thanks for your explanations.
Unfortunately when you use VPN tunnel there is no dialup connection that can be modified by windows, the tunnel goes out over the existing network adapter,  it cannot be modified from network connections.  The draytek dial up connection is only avaialble when using PPTP or l2tp connections.  

"""Failing that go to the lan settings on the draytek and check the dns servers there are pointing to your internal servers"""

Not sure what you mean by this as the IP of the client that connects via VPN tunnel changes depending to where he is connection from.

Yes, as I have said in my original post,  a host file is the only workable solution that I have found so far
I am not sure how to integrate the host file and  nbstat – a serverip command, I am editing the host files manually, if there is batch file way to do it, I would be grateful for a script.

I think I will have to look at the certificate way, I had never done anything with certificates before, but I guess there is always the first time.


Assisted Solution

q2q earned 2000 total points
ID: 34228902
Sorry my script work is not great so the only way around that would be to do a large batch file that runs when the user connects.
The file would just need a line for every server the users need the name for
getname.bat would be
nbtstat -a
nbtstat -a
nbtstat -a

then if the users are occasionally on site you could make a login script that copies to the users c drive and updates this for when you get new servers etc
If they are not on site they could have shortcut to the script using a ipaddress that they run to get the name, as its a simple txt file shouldnt take too long.

del getname.old
rename getname.bat
net use z: \\server\share\
copy z:\getname.bat c:\getname.bat
net use z: /delete

not glam but its a reasnable work around, sorry I couldnt be more help on the vpn side

Accepted Solution

ian-pearce earned 0 total points
ID: 34234655
thanks for the additional imput.

This is what I got from Draytek support:

With a remote dial-in PPTP vpn connection, the vpn client will be assigned a DNS address as well as a local private address by the VPN server. But with a remote dial-in IPSec VPN connection, the vpn client will not be assigned any ip address by the VPN server. So you have to manually assign the "local" DNS server IP address to the vpn client.

When you see status "connected" shown in Smart VPN client, the vpn connection hasn't been really connected. In fact when you press the "Active" button, only one action is performed that the vpn profile is applied to Windows IPSec policy.
No vpn message is exchanged between the vpn client and the vpn router at that time. You should issue a ping to one IP address of remote vpn network to initiate the IPSec vpn connection.

So I guess there is no easy solution


Expert Comment

ID: 34236861
thats a shame. Well there isnt an answer for everything.

Author Closing Comment

ID: 34387603
Did not really solved the problem, as there is no solution

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question