Close

Results 1 to 8 of 8
  1. #1
    DF VIP Member Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,125
    Thanks
    3,975
    Thanked:        1,690
    Karma Level
    1251

    Default Attn Draytek VPN Users

    Hi All,

    I know there are a few people on here using draytek routers for site to site vpn's so I just thought I would share some recent findings:

    We've got 16 sites vpn'ed in to head office at the moment - we used to have the vpn's split over two 2950's - one still on our old 2Mb sdsl, and one on our new 25Mb fibre. On a typical day I would be seeing anywhere between 1 vpn drop to 20 drops!

    I was finding the 2950's also seemed to be bottlenecking vpn - they are rated for 50Mb of ipsec, but I found real life throughput to be more like 6-7Mb of pptp or ipsec - was a bit perplexed as they're supposed to have a hardware accelerator for ipsec, and I didn't realise pptp was cpu intensive. Anyway, I removed the 2950 on the fibre and put a pfsense box in place and moved all the vpn's over, and not a single one has dropped during working hours since! (I expect vpn's to drop out of working hours as often people will come in and mess with our kit on site offices). Also haven't seen the full 25Mb of vpn yet but it's hit a few times 16Mb with plenty of cpu spare, and I suspect our 2820's on sites are now bottlenecking at around 3Mb, not sure whether I'm happy with that as a crude balancing mechanism or whether this needs to be resolved.

    Anyway, just thought I would share my findings, the pfsense box cost pretty close to absolute zero, saved £25 on scrapping an old pc, 2 x intel pro 1000gt's, and it's live. Would be interested if anyone has any better experience of vpn with 2820 and 2950, or would be happy to provide sample ipsec configs if anyone wants to try out what I've done.

    Also there was a period when I needed to move all the vpn's over the 2950 on the 2Mb sdsl to enable me to swap the other 2950 out for the pfsense box, then had to move them over to the pfsense box. I was finding issues with creating static routes on the remaining 2950 - often wouldn't let me create a rule that was disabled but would if it was enabled, or wouldn't let me create a rule until I rebooted it!

  2. #2
    DF VIP Member Wompastompa's Avatar
    Join Date
    Aug 2008
    Location
    London, United
    Posts
    359
    Thanks
    16
    Thanked:        2
    Karma Level
    0

    Default Re: Attn Draytek VPN Users

    cheers for the heads up matie!!!

  3. #3
    DF VIP Member JonEp's Avatar
    Join Date
    Oct 2007
    Location
    uk
    Posts
    2,250
    Thanks
    1,112
    Thanked:        875
    Karma Level
    395

    Default Re: Attn Draytek VPN Users

    Thanks! after your post about pfsense in another thread yesterday I've decided to take a look at this later this week. Might just be the answer to a problem I have in the office.

  4. #4
    DF VIP Member Wompastompa's Avatar
    Join Date
    Aug 2008
    Location
    London, United
    Posts
    359
    Thanks
    16
    Thanked:        2
    Karma Level
    0

    Default Re: Attn Draytek VPN Users

    Quote Originally Posted by JonEp View Post
    Thanks! after your post about pfsense in another thread yesterday I've decided to take a look at this later this week. Might just be the answer to a problem I have in the office.

    same here i get loads of issues with dropouts will take a look (this is why i love digital forums)

  5. #5
    DF VIP Member Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,125
    Thanks
    3,975
    Thanked:        1,690
    Karma Level
    1251

    Default Re: Attn Draytek VPN Users

    Leave it with me and I will post sample ipsec configs when I get time later today, will save you ages in pissing about getting a working config. Any questions, throw em my way and if I can answer I will.

  6. #6
    DF VIP Member Crossman's Avatar
    Join Date
    Apr 2002
    Location
    (Up North) UK
    Posts
    375
    Thanks
    121
    Thanked:        10
    Karma Level
    293

    Default Re: Attn Draytek VPN Users

    Thanks, it's interesting to see how they perform when they are in a complex / high usage environment.

    I've only used them for lightly used scenarios with 4 sites, for web and file syncronisation etc... Found them reliable in this scenario.

  7. #7
    DF VIP Member Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,125
    Thanks
    3,975
    Thanked:        1,690
    Karma Level
    1251

    Default Re: Attn Draytek VPN Users

    Sorry I'm gonna stall on posting a config for a few days - found a problem with a site that kept getting power failures, then when power came back up vpn would come back up because of duplicate sad's which either had to be manually deleted, I would have to wait until I get the next one or restart the racoon service which knocks all the vpn's off.

    Got a couple of tweaks I wanna try to resolve this first.

  8. #8
    DF VIP Member Over Carl's Avatar
    Join Date
    Apr 2006
    Location
    London
    Posts
    13,125
    Thanks
    3,975
    Thanked:        1,690
    Karma Level
    1251

    Default Re: Attn Draytek VPN Users

    Sample pfSense Config:




    Sample 2820 Config:




    The trick to resolve the multiple SA's was to go on the pfsense box to system, advanced, miscellaneous, Prefer old IPSEC SA's - did some torture testing for a while and got a few SA's, but the vpn always came back within 8 secs of the 2820 getting on the net. Now vpn's randomly dropping are a thing of the past, they only drop if the site router drops.

    Also saw it pushing over 18Mb upload the other say and am confident it won't bottleneck our 25Mb line - I looked into the soekris vpn 14x1 accelerator cards, they claim to be able to do 250Mb of IPSEC, but apparently these only are to go with very slow cpu's and would actually be slower than my p4!

    You may notice my phase 1/2 lifetimes are set to max - renewing the SA's is computationally heavy and I prefer not to have latency spikes as we use VOIP, you may prefer to reduce these values for security reasons.

    Any questions, will answer if I can.

Similar Threads

  1. All pal gc users please read
    By ABCMan in forum Nintendo Consoles
    Replies: 9
    Last Post: 17th September 2002, 03:22 PM
  2. ATTN: Mods
    By slain in forum Digital Satellite TV
    Replies: 1
    Last Post: 5th September 2002, 12:56 PM
  3. what no more users
    By typhoon68 in forum Introduce Yourself (New Members)
    Replies: 6
    Last Post: 30th August 2002, 05:20 AM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •