Questions on Configuration of IPSEC tunnels, routing and QoS
Posted by on 14 February 2012 05:35 PM
IPSEC tunnels for LAN-LAN should be configured for call direction of "Both", "Always On" and Enable PING keep alive to LAN interface of remote gateway.
If you select 'Always On’, you should be able to 'Dial-out. If you select 'Both', you couldn't select 'Always On'. Is there a way to ensure that tunnels can be initiated from both ends so that we minimize dropouts of the tunnels? In standard IPSEC we can define that a tunnel is initiated from both ends and “always on”. Is there a way to do this with the Draytek and to enable keep alives?
It's impossible to enable keep alive to ping or always on for Dial-in mode. Because VPN initiated from Dial-out,if VPN disconnected, VPN will redial, this need Dial-out end to initiated. 'Always on' is like a redial function, so Dial-in end needn't this. 'Keep alive' is almost the same.
Confirm if Muliticast via VPN should be enabled and if this will aid in MTU discovery.
If you pass Multicast via VPN, it only applied for some IGMP,IP-Camera, DHCP Relay..etc. This won't aid in MTU discovery.
Is there a way to reduce packet sizes at the LAN interface to deal with IPSEC overhead over tunnels.
Do you want to modify (reduce) MTU size of the packet via VPN? MSS is 1360 at present and couldn't be modified. Can we use the “wan ppp_mss 1200” command via a telnet window to force the packet size of LAN packets entering the router down to 1200 bytes as our largest unfragmented packet that we can send over the VPN is currently 1210?
“wan ppp_mss 1200” command via a telnet window is only used for packet via WAN, not for VPN at present. If you want to change MSS for VPN, please inform us and I'll report to R&D to improve this.
Confirm if weighted routes can be used for the tunnel.
VPN tunnels can use weighted routes in VPN 'more'. They don't use the weighted routes in WAN.
Can we create static routes via the telnet window to route via a particular IPSEC tunnel and if so can they have a cost assigned?
'ip route' via the telnet window is only used for LAN,WAN1 and WAN2,not for VPN at present.If you want to add static route for VPN, please inform us and I'll report to R&D to improve this.
Confirm that Load-Balance policy should be used as best means of routing by source IP over tunnels.
Do you mean the Load-Blance policy can be used to the source IP from VPN tunnels Remote site or Local site?Could you give me an example? As per above we basically want to determine how we can say route all packets from a source or destination range of addresses to go via a particular tunnel so that we do not get triangulation of routes given that two tunnels exist to each remote site.
Did your two VPN tunnels to the same router used VPN Trunk Load-balance?If you did,you can use VPN Load Balance Advance Settings>>VPN Load Balance - Binding Tunnel Policy.WAN load-balance policy is only used for traffic LAN to WAN,not for VPN.
Confirm how outbound QoS reservation works (guaranteed).
Do you mean outbound Qos for the VPN? If you mean that, VPN outbound packets also complies with the class rules in Outbound Qos like LAN IP. Thanks, does the reservation mean that the bandwidth cannot be used by other traffic (so you should never allocate 100% bandwidth?
No,the bandwidth can be used for all traffic,VPN packets also complies with the class rules in Qos like LAN IP.If VPN traffice match Class 1 in Qos,this traffic will go via Class1.If VPN traffice doesn't match Class1-3,it will go via Others in Qos.But if you enable Qos,your bandwidth will be lower than disable Qos.It'll reserve some bandwidth to VoIP module.
Discuss how routing works with multiple tunnels (no endpoints are stipulated to allow static routes over a particular tunnel)
Are the routings the same with multiple tunnels? Could you give me an example or a scenario? As per the diagram we have two WAN connections and two tunnels defined (one over each WAN connection) to the remote 2930.
Did you use VPN trunk Load-balance in your router? If you did, you can use VPN Load Balance Advance Settings>>VPN Load Balance - Binding Tunnel Policy, Weighted Round Robin for route and weight between the two VPN tunnels in the same router.
If you set defualt, the two VPN tunnel will use weight 1：1,both tunnels will be used at one time. Please refer to the diagram below: