Attn Draytek VPN Users

Hi All,

I know there are a few people on here using draytek routers for site to site vpn's so I just thought I would share some recent findings:

We've got 16 sites vpn'ed in to head office at the moment - we used to have the vpn's split over two 2950's - one still on our old 2Mb sdsl, and one on our new 25Mb fibre. On a typical day I would be seeing anywhere between 1 vpn drop to 20 drops!

I was finding the 2950's also seemed to be bottlenecking vpn - they are rated for 50Mb of ipsec, but I found real life throughput to be more like 6-7Mb of pptp or ipsec - was a bit perplexed as they're supposed to have a hardware accelerator for ipsec, and I didn't realise pptp was cpu intensive. Anyway, I removed the 2950 on the fibre and put a pfsense box in place and moved all the vpn's over, and not a single one has dropped during working hours since! (I expect vpn's to drop out of working hours as often people will come in and mess with our kit on site offices). Also haven't seen the full 25Mb of vpn yet but it's hit a few times 16Mb with plenty of cpu spare, and I suspect our 2820's on sites are now bottlenecking at around 3Mb, not sure whether I'm happy with that as a crude balancing mechanism or whether this needs to be resolved.

Anyway, just thought I would share my findings, the pfsense box cost pretty close to absolute zero, saved £25 on scrapping an old pc, 2 x intel pro 1000gt's, and it's live. Would be interested if anyone has any better experience of vpn with 2820 and 2950, or would be happy to provide sample ipsec configs if anyone wants to try out what I've done.

Also there was a period when I needed to move all the vpn's over the 2950 on the 2Mb sdsl to enable me to swap the other 2950 out for the pfsense box, then had to move them over to the pfsense box. I was finding issues with creating static routes on the remaining 2950 - often wouldn't let me create a rule that was disabled but would if it was enabled, or wouldn't let me create a rule until I rebooted it!

cheers for the heads up matie!!!

Thanks! after your post about pfsense in another thread yesterday I've decided to take a look at this later this week. Might just be the answer to a problem I have in the office.

Quote:

---

Originally Posted by JonEp

Thanks! after your post about pfsense in another thread yesterday I've decided to take a look at this later this week. Might just be the answer to a problem I have in the office.

---

same here i get loads of issues with dropouts will take a look (this is why i love digital forums)

Leave it with me and I will post sample ipsec configs when I get time later today, will save you ages in pissing about getting a working config. Any questions, throw em my way and if I can answer I will.

Thanks, it's interesting to see how they perform when they are in a complex / high usage environment.

I've only used them for lightly used scenarios with 4 sites, for web and file syncronisation etc... Found them reliable in this scenario.

Sorry I'm gonna stall on posting a config for a few days - found a problem with a site that kept getting power failures, then when power came back up vpn would come back up because of duplicate sad's which either had to be manually deleted, I would have to wait until I get the next one or restart the racoon service which knocks all the vpn's off.

Got a couple of tweaks I wanna try to resolve this first.

Sample pfSense Config:

http://i101.photobucket.com/albums/m...s/pfconfig.jpg


Sample 2820 Config:
http://i101.photobucket.com/albums/m...ics/2820-1.jpg

http://i101.photobucket.com/albums/m...ics/2820-2.jpg

The trick to resolve the multiple SA's was to go on the pfsense box to system, advanced, miscellaneous, Prefer old IPSEC SA's - did some torture testing for a while and got a few SA's, but the vpn always came back within 8 secs of the 2820 getting on the net. Now vpn's randomly dropping are a thing of the past, they only drop if the site router drops.

Also saw it pushing over 18Mb upload the other say and am confident it won't bottleneck our 25Mb line - I looked into the soekris vpn 14x1 accelerator cards, they claim to be able to do 250Mb of IPSEC, but apparently these only are to go with very slow cpu's and would actually be slower than my p4!

You may notice my phase 1/2 lifetimes are set to max - renewing the SA's is computationally heavy and I prefer not to have latency spikes as we use VOIP, you may prefer to reduce these values for security reasons.

Any questions, will answer if I can.