Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Draytek Vigor router connecting to PPTP VPN 1

Status
Not open for further replies.

gman999

Technical User
Feb 2, 2006
15
GB
I am using the Draytek box at home on a dsl, and I am connecting to work VPN, which is a microsoft PPTP.


The VPN connects fine, and its alive on the router. From work I can ping the internal IP that it is given. However from the PC connected to the Vigor box, I cannot traceroute out, or ping anything.

Do I need to forward anything? I have allowed everything through the firewall.

Any ideas?
 
I have around 30Vigor 2600G's working to an MS PPTP server so rest assured it does work.

You say you can't ping anything from the PC.. if this is true then the PC to the Draytek connection is suspect. If you can ping the vigor then can you ping the PPTP server (look in VPN Management and you should see the connection with the remote IP)

If there are no routes to 192.168.1.x/24 in the office network set the VPN to treat the IP as public rather than private. This makes everything behind the draytek look like it's on one IP - the one allocated by the PPTP server. It's effectively NAT.
 
On the PPTP server if I look at VPN management, I can see an IP, this is the IP I can ping from the PPTP server.

From the Laptop connected to the Vigor, I cannot ping anything, and if I do a traceroute to any IP at work, it doesnt get passed the vigor, and times out.

I suspect it is a NAT problem but I;m not certain whats going on.
 
If nothing pings then there is a problem with the Vigor.

You should be able to ping the IP of the Vigor if nothing else.

One more thing springs to mind - after V2.5.5 of the 2600 there is a known problem where the VPN server must be set to one encryption level (I use 128bit) as there is a problem negotiating which then shows the tunnel up but no traffic will pass.
 
ok that could be it, I'll try that when I get to work tommorrow, and let you know how it goes, thanks for the help.

So I shouldnt need to forward any ports or anything outside of the LAN to LAN menu?

If theres any other things I could try out, please let me know.
 
Thanks it was the public setting. Works great now.

For the people that use it from home, do you just let the connect constantly? Would there be security concerns involved in this?
 
Sorry for the delay gman..

Generally I have the routers stay permanently connected... the reasons for that are :-

1. When a user's broadband is up I can tell by looking for their router logon (the routers have distinct names seperate from their users)

2. To allow users to see internal DNS I use one server over the VPN for DNS lookups so even if they go straight ot the internet we do the DNS - so the PPTP would probably be up all the time.

3. I save the cost of 30x fixed IP addresses - the router's logon gives me the IP of the draytek if I need to remotely manage it.

As you say there IS a risk here - split tunneling (internet traffic goes straight out not up the VPN) is a risk as the Draytek has no anti-spam or AV unlike the head office systems but relieves the load on our internet connection. In the three years I've been using it we have had around 6 virus outbreaks, 2 of which were caused by VPN users BUT not Draytek users - they were users with the microsoft client. I believe the fact that most viruses scan the local subnet and the one step away of the draytek's local range protected us.

I have had more damage caused to the network by visitors on site than by VPNs

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top