Can a DrayTek router run site-to-site VPN alongside L2TP passthrough to a Win 2012 Server?

bluemercury
bluemercury used Ask the Experts™
on
I've just bought a DrayTek Vigor2620Ln (ADSL/VDSL router/firewall with backup WAN port and 4G LTE modem built in - UK version)

I want to be able to create a site-to-site (or LAN to LAN in DrayTek's terminology) VPN via an IPSec tunnel to a Netgear ProSafe firewall I have running at another site. Simultaneously I want to be able to access a L2TP VPN Server running on Windows 2012 RRAS (behind the DrayTek at primary site), via passthrough when I'm out and about.

Having created the site-to-site VPN with a few issues along the way, I have got it working. I have also got the L2TP VPN passthrough working so I can connect from my Windows laptop when away from the main network. HOWEVER, it seems impossible to get both working at the same time. For the site-to-site to work, I have to tick the 'Enable IPSec VPN Service' under the Remote Access Control settings on the Draytek. But once I do this, passthrough of the L2TP Windows VPN fails. If I untick, it is the other way around with the Site-to-site failing and the L2TP passthrough working.

I suspect someone out there will confirm DrayTek routers simply cannot both have a site to site and L2TP passthrough connection connected simultaneously (I momentarily achieved it once, on initial bootup). I appreciate both VPN types use IPSec, however every single Netgear and Linksys router I've owned and used to date has been able to do both simultaneously with zero problems. I'm hopeful I'm missing something, but fear I'm not and the DrayTek will be going back (a shame, as I really like it otherwise!)

Any thoughts appreciated, cheers :-)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
TimotiStDatacenter Technician
Top Expert 2012

Commented:
Looks like it can't support it, either the router terminates IPSec, or it forwards it:
VPN Pass-Through Setup | DrayTek

One option would be to use another protocol (like PPTP) for one purpose, and IPSec for the other; or use the Draytek for both LAN-to-LAN and road warrior vpn.
But if Netgear/Linksys kit can do it for you and is available, then possibly just replace the Draytek as you say.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Please don't advise PPTP.. that protocol has been broken for over 20 years, 10 years ago moxie marlin spike had a service running that would break ANY key within 24 hours (guarantee) for a fee to compute the key on AWS.  Nowadays it won't take 24 hours to achieve this.

As an added bonus PPTP will reveal the password to the account needed to run it.
TimotiStDatacenter Technician
Top Expert 2012

Commented:
Okay, fair enough, there's a lot of better alternatives out there.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
IMHO best option without replacing the Draytek is indeed to let it terminate all traffic. The free ShrewSoft VPN Client might be an option to allow that for dlal-in.

On the other hand there is no reason why (pass-thru) L2TP/IPsec should not work together with device IPsec. L2TP encapsulates the IPsec packets, so there is no conflict. The fact that you can disable different VPN protocol servers for the Draytek leads me to the conclusion it should work. Just make sure you do not forward IPsec, only L2TP.

Author

Commented:
Thanks to all of you for comments, and apologies for the slight delay in replying.

Yep, I have indeed considered using alternative VPN types for passthrough (such as an SSL based VPN) or just biting the bullet and trying out the integrated L2TP based service built into the DrayTek itself. But the fact is, I've always liked the Win RRAS based VPN setup, and have used L2TP passthrough to this for years - it provides an easy view of who's connected and the highly complex secret key I use combined with the need for AD login credentials gives me a reasonable sense of security that we're unlikely to be hacked into this way.

As for PPTP, haven't touched that with a very long proverbial stick for many years - I think even when I did my original MCSE in the Win 2000 syllabus in the early noughties the instructor back then illustrated how dangerously insecure it was. Hopefully no one is using that anymore, but I bet someone out there is! (appreciate this was just listed as an example of other VPN types)

The reason why I'm trying to use a DrayTek is because the Netgear ProSafe it's to replace hasn't been supported by Neatgear for years (in fact Netgear have totally killed their ProSafe routers, they simply don't make them anymore and haven't released any updates for their most recent model since early 2017). Open source firmware isn't an option on ProSafe's because of the encryption chip they use, I believe. Linksys do make an appropriate router but I've experienced first hand it's great as a single WAN unit (I have in operation at one site), but poor as dual WAN - quite hideously unusable in fact. Linksys also don't release updates anywhere nearly as frequently as DrayTek do (worries me a little from a security point of view), and DrayTek seem quite commited to their back catalogue of past devices with updates multiple times throughout the year.

Qlemo - your final comment particularly interests me; in fact I'd been trying to experiment with L2TP NAT-T config before posting (which I think is what your describing - I'm not a VPN expert and have to remind myself of the various port and protocol forwardings on the rare occasions I set these up again, so apologies for any inaccuracies!) In such a configuration, would protocol 50 / ESP still need to be passed, and perhaps here is where the problem lies? Or do you think that passing port 4500 for IPSEC NAT-Traversal mode should be enough? (as detailed in one of the answers found here: https://serverfault.com/questions/451381/which-ports-for-ipsec-lt2p#527787)

My suspicion is that regardless of what I do to the config the DrayTek it is going to refuse to passthrough any L2TP related traffic all the time I have the site-to-site VPN running. If so, I think it will probably have to go back, and I'll just have to assume all DrayTek units are going to be the same and start over on finding an alternative :-(

Many thanks to you all for your help, further thoughts much appreciated :-)
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Zywall USG can be an alternative.

Author

Commented:
Thanks for the recommendation - I've not used Zyxel before, but would I be right in thinking their Zywall USG will carry an annual subscription cost to keep it updated? Ideally I'd still like to find a solution for the DrayTek, although except I might be asking too much in this instance....
nociSoftware Engineer
Distinguished Expert 2018

Commented:
That depends. The subscription is only for URL filtering, and online scanning of content. (imho, that should not be in network router).
 IPSEC & OpenVPN can be used limited to a maximum depending on model. Update for firmware can be downloaded without fee.

Author

Commented:
I have reached out to DrayTek with a specific question about the situation I'm facing. Their response was as below:

You wont be able have both the VPN pass through at the same time with your LAN to LAN Draytek VPN If you have the IPsec service enabled. What you can do is set the LAN to LAN VPN say to SSL and have the pass through L2TP/IPSEC on the Microsoft Server.

So this clarifies the position. I anticipate their SSL VPN for site-to-site connections is some kind of proprietary config (as I'm pretty sure SSL VPNs are normally a client -> server model only) and have replied asking for clarification on this, and whether I could only do this with a DrayTek model each end or mixing with other branded routers too. It's not what I really want to do anyway, so I think I've reached the end of the road on this one and the DrayTek unit is being returned today.

Thanks to you all for your input! :-)
I have reached out to DrayTek with a specific question about the situation I'm facing. Their response was as below:

    You wont be able have both the VPN pass through at the same time with your LAN to LAN Draytek VPN If you have the IPsec service enabled. What you can do is set the LAN to LAN VPN say to SSL and have the pass through L2TP/IPSEC on the Microsoft Server.


So this clarifies the position. I anticipate their SSL VPN for site-to-site connections is some kind of proprietary config (as I'm pretty sure SSL VPNs are normally a client -> server model only) and have replied asking for clarification on this, and whether I could only do this with a DrayTek model each end or mixing with other branded routers too. It's not what I really want to do anyway, so I think I've reached the end of the road on this one and the DrayTek unit is being returned today.

Thanks to you all for your input! :-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial