Hi All,

I know there are a few people on here using draytek routers for site to site vpn's so I just thought I would share some recent findings:

We've got 16 sites vpn'ed in to head office at the moment - we used to have the vpn's split over two 2950's - one still on our old 2Mb sdsl, and one on our new 25Mb fibre. On a typical day I would be seeing anywhere between 1 vpn drop to 20 drops!

I was finding the 2950's also seemed to be bottlenecking vpn - they are rated for 50Mb of ipsec, but I found real life throughput to be more like 6-7Mb of pptp or ipsec - was a bit perplexed as they're supposed to have a hardware accelerator for ipsec, and I didn't realise pptp was cpu intensive. Anyway, I removed the 2950 on the fibre and put a pfsense box in place and moved all the vpn's over, and not a single one has dropped during working hours since! (I expect vpn's to drop out of working hours as often people will come in and mess with our kit on site offices). Also haven't seen the full 25Mb of vpn yet but it's hit a few times 16Mb with plenty of cpu spare, and I suspect our 2820's on sites are now bottlenecking at around 3Mb, not sure whether I'm happy with that as a crude balancing mechanism or whether this needs to be resolved.

Anyway, just thought I would share my findings, the pfsense box cost pretty close to absolute zero, saved £25 on scrapping an old pc, 2 x intel pro 1000gt's, and it's live. Would be interested if anyone has any better experience of vpn with 2820 and 2950, or would be happy to provide sample ipsec configs if anyone wants to try out what I've done.

Also there was a period when I needed to move all the vpn's over the 2950 on the 2Mb sdsl to enable me to swap the other 2950 out for the pfsense box, then had to move them over to the pfsense box. I was finding issues with creating static routes on the remaining 2950 - often wouldn't let me create a rule that was disabled but would if it was enabled, or wouldn't let me create a rule until I rebooted it!