Should IPSEC tunnels for LAN-LAN be configured for call direction of “Both”, “Always On” and Enable PING keep alive to LAN interface of remote gateway?
If you select ‘Always On’, you should be able to ‘Dial-out’. If you select ‘Both’, you can’t select ‘Always On’. Is there a way to ensure that tunnels can be initiated from both ends so that we minimize dropouts of the tunnels? In standard IPSEC we can define that a tunnel is initiated from both ends and “always on”. Is there a way to do this with the Draytek and to enable keep alive?
It’s impossible to enable keep alive to ping or always on for Dial-in mode. Because VPN initiated from Dial-out, if VPN disconnected, VPN will redial, this needs the Dial-out end to initiate. ‘Always on’ is like a redial function, so the Dial-in end doesn’t need this. ‘Keep alive’ is almost the same.
Can you confirm if Multicast via VPN should be enabled and if this will aid in MTU discovery?
If you pass Multicast via VPN, it only applies for some things like IGMP, IP-Camera, DHCP Relay etc. This won’t aid in MTU discovery.
Is there a way to reduce packet sizes at the LAN interface to deal with IPSEC overhead over tunnels?
Do you want to modify (reduce) MTU size of the packet via VPN? MSS is 1360 at present and can’t be modified.
Can we use the “wan ppp_mss 1200” command via a telnet window to force the packet size of LAN packets entering the router down to 1200 bytes as our largest unfragmented packet that we can send over the VPN is currently 1210? “wan ppp_mss 1200” command via a telnet window is only used for packet via WAN, not for VPN at present. If you want to change MSS for VPN, please let us know and we’ll report to R&D to improve this.
Can weighted routes can be used for the tunnel?
VPN tunnels can use weighted routes in VPN ‘more’. They don’t use the weighted routes in WAN.
Can we create static routes via the telnet window to route via a particular IPSEC tunnel and if so can they have a cost assigned? ‘ip route’ via the telnet window is only used for LAN,WAN1 and WAN2. Not for VPN at present. If you want to add static route for VPN, please let us know us and we’ll report to R&D to improve this.
Should Load-Balance policy be used as best means of routing by source IP over tunnels?
Do you mean can the Load-Balance policy be used to the source IP from VPN tunnels Remote site or Local site? Could you give me an example? As per above we basically want to determine how we can say route all packets from a source or destination range of addresses to go via a particular tunnel so that we do not get triangulation of routes given that two tunnels exist to each remote site.
Did your two VPN tunnels to the same router used VPN Trunk Load-balance? If you did,you can use VPN Load Balance Advance Settings>>VPN Load Balance – Binding Tunnel Policy. WAN load-balance policy is only used for traffic LAN to WAN, not for VPN.
How does outbound QoS reservation work (guaranteed)?
Do you mean outbound Qos for the VPN? VPN outbound packets also complies with the class rules in Outbound Qos like LAN IP. Does the reservation mean that the bandwidth cannot be used by other traffic (so you should never allocate 100% bandwidth? No, the bandwidth can be used for all traffic. VPN packets also comply with the class rules in QoS like LAN IP. If VPN traffic matches Class 1 in QoS, this traffic will go via Class1. If VPN traffic doesn’t match Class1-3, it will go via Others in QoS. But if you enable QoS, your bandwidth will be lower than with QoS disabled because QoS reserves some bandwidth to the VoIP module.
How does routing work with multiple tunnels when no endpoints are stipulated to allow static routes over a particular tunnel?
In the diagram above we have two WAN connections and two tunnels defined (one over each WAN connection) to the remote 2930. In this case can use VPN Load Balance under Advanced Settings>>VPN Load Balance – Binding Tunnel Policy, Weighted Round Robin for route and weight between the two VPN tunnels in the same router.
By default, the two VPN tunnels will use weight 1：1, both tunnels will be used at one time. Please refer to the diagram below: