Windows to Draytek VPN using L2TP/IPsec with PSK

The good news here is that a Draytek, out-the-box, is already setup for L2TP/IPsec. Just add a pre-shared key, your usernames/passwords, and you are good to go.

The other good news is that Windows also supports L2TP/IPsec out-of-box. Just add a VPN with your pre-shared key, username and password and you are good to go. Adding the VPN is easy – its a PowerShell one-liner (although you can use the GUI if you prefer).

–

This guide applies to any Draytek router running DrayOS. This is all the desktop models (eg 26xx and 28xx) and the new rack-mount 2910 and 3010 models, but not the 2900 or 3900 models, which ran Linux.

The parameters that you need for this procedure are:

1. Username
2. Password
3. Pre-shared key (a long, complex password)
4. Router’s WAN FQDN (or IP address)

–

Quick start

On the router:

• Log in
• Navigate to ‘VPN and Remote Access/IPsec setup’
• In ‘General Pre-shared key’ type your pre-shared key, and again to confirm. Click OK
• Navigate to ‘VPN and Remote access/Remote Dial-in User’
• Click on an index number. Type the username and password. Click OK.

On the Windows PC:

• Log on as the user
• Start a PowerShell window
• type: Add-VpnConnection -Name 'VPN' -ServerAddress '<router fqdn or IP>' -TunnelType 'L2TP' -AuthenticationMethod 'MSCHAPv2' -L2tpPsk '<Your PSK>' -SplitTunneling -RememberCredential
• Connect the VPN
• Type in username and password
• Complete!

–

Detailed guide

This detailed guide includes screenshots, notes and troubleshooting information.

Note: Notes are presented in a bordered box like this

4G: A dial-up VPN needs to connect to the WAN interface of your router, so your router will need to have a public routable IP on the WAN interface. 4G is NATed by the service provider so you cannot connect to the WAN interface of the router directly (unless you have a 4G SIM with fixed public IP).

Dynamic IP: If the routers public IP is dynamic, you will need to assign a DynDns name to it – see the [not written yet] Draytek-DynDns post for details. However, if the IP does not change very often, and you are keen to get going, you can make a note of what it is now and use it temporarily until it changes.

–

Enable the L2TP and IPsec services

These are enabled by default. If they have been disabled, click to re-enable them (requires a router reboot). While you are here, you could disable the PPTP, SSL and OpenVPN services if you are not already using them.

–

Setup PPP, including DHCP

When the user connects, it is PPP that authenticates the user, sets the encryption and assigns an IP address to the VPN. The default Draytek and Windows security settings work out-the-box to give the best security, and so there should be no need to change settings here. More info on how PPP works with Windows can be found in ‘Draytek-PPP-General‘, but it is worth looking at DHCP here.

When the user connects, they will need an IP address from the LAN they are dialling into. Draytek have several ways of dealing with this:

1. If DHCP is enabled on the router LAN, PPP will use that to assign an IP
2. If DHCP is not enabled, PPP can assign an IP from its own ‘pool’ of addresses
3. The user can be assigned a fixed IP address – see ‘setting up user’ below

No 1 is the easiest, and is the default. No 2 is also enabled by default, and will kick in if you disable DHCP on the LAN. No 3 is a property of the user’s VPN profile, and can be used without disabling 1 or 2.

Here, the router will assign 50 addresses from 192.168.1.200 to 192.168.1.249 if DHCP on the LAN is disabled. You just need to make sure these will not clash with existing IPs or the DHCP range on your LAN.

–

Set the IPsec pre-shared key

The PSK is like an additional password that is set at both the router and Windows client end. The same PSK is used by all dial-in VPNs. The Windows client uses ‘standard’ IPsec PSK, not XAUTH, so the ‘General PSK’ fields need to be completed. The PSK is just a piece of text, rather like a password, but would normally be long and contain all kinds of random characters. It is important to security, so choose a nice long one BUT make sure you have an accurate note of it, as you will need to type it in correctly at the Windows client end. The user may never see this as it is typed in only once when setting up the VPN client.

–

Set IPsec security methods

This may be better set to ‘Medium’ on newer Drayteks, or disabling AH, DES and 3DES on older routers.. To better understand why, and what IPsec security is all about, see my separate blog ‘Windows-Draytek-IPsec-negotiation‘.

Increasing security on newer Drayteks:

and on older Drayteks:

–

Setup the user

The only actions that are required are to tick enable and enter username and password. Remember the ‘dial-up users’ PSK has already been set.

By default, dial-in types ‘L2TP with IPsec’ and ‘IPsec Tunnel’ are already ticked (along with all other protocols, but not PPTP on later routers). IKEv1 needs to be ticked for an L2TP VPN

The username will identify who is connected, so would usually be related to their ‘real’ name, eg ‘ABromley’. Both username and password could be different from the user’s Windows password – so if one is hacked, the other is not. The password could be long and/or complicated, as it can be remembered by Windows and the user may never see it or type it in (if you type it in for them when setting up their VPN).

A static IP can be assigned if you wish. Sometimes this is useful if DHCP is not used, or as a means of identifying which VPN is generating network traffic when using Wireshark. The IP must, of course, be taken from the router’s LAN subnet. You could also:

• change idle timeout to 0 seconds (so if the user leaves their computer for a while the VPN will not drop)
• disable unused protocols (eg PPTP, SSL or OpenVPN, IKEv2 EAP, IPSEC XAuth)

We will look at some of the other options and features later. For now, that completes the router setup. We can now turn our attention to the Windows client.

—

Windows

The procedure for Windows 10/11 is very similar (if not identical). The VPN can be created using the GUI, by using Powershell (or a batch file that calls Powershell) or by Group Policy.

Windows VPNs can be system-wide – where the VPN is available to any user who logs on to that PC, or per-user – where the VPN is only available to that user. Which you choose depends on whether you want a VPN available to all users who logon the the PC, or just named users.

Its also worth thinking about whether you want to use ‘Split Tunnelling’. If the VPN is connected with Split Tunnelling enabled, ONLY network traffic for the remote network is sent over the VPN. General Internet traffic (web browsing etc) from your PC is NOT passed over the VPN and exits by the usual route – over wireless to your home router, for example. Split Tunnelling sounds normal and it is probably what you want; but it is not the default in Windows. Windows will, by default, send even your Internet traffic over the VPN to exit to the Internet via the remote router.

Why would you ever NOT choose split tunnelling? There are a few reasons – you may want your users Internet traffic filtered by your Office firewall, for example. Or, you may have a network with several subnets behind the VPN router. Or, in the case of dialling-in to a pfSense router, it is sometimes just easier.

Setup the VPN – PowerShell method

This method is by far the easiest.

For a per-user VPN, copy this command into notepad. Edit it with your own name, fqdn/IP and PSK, then copy it into a non-administrator PowerShell window:

Add-VpnConnection  -Name '<name>'  -ServerAddress '<fqdn or IP>'  -TunnelType 'L2TP'  -AuthenticationMethod 'MSCHAPv2' -L2tpPsk '<PSK>' -SplitTunneling -RememberCredential

…note how split tunneling is automatically enabled using this method.

System-wide VPN

…simply add ‘-AllUserConnection’ to the above command line, and paste it into an administrator powershell window.

Setup the VPN – GUI method

This procedure sets up a per-user VPN. Setting up a system-wide VPN requires a different starting point – see below.

Click Start/Settings/Network and Internet/VPN/Add a VPN. Complete the settings. Most should be self-explanatory,

• Server name or address: is the public IP of your VPN router. Either fqdn or IP can be used
• Pre-shared key: the same PSK that you defined in the router
• Password (optional): You can type the password here and leave ‘remember my sign-in’ ticked, in which case the user will be prompted for credentials. If you leave the password blank, then the user will need to type it it when they connect for the first time (it will be remembered after that). If you leave both the password blank and ‘remember my sign-in’ unticked then the user will have to type in their credentials each time they connect.

That should now connect – but will not have split tunnelling enabled. Your Internet traffic will be sent over the VPN.

• Right-click the Windows Start button, Network Connections.
• Scroll down to ‘Change adapter options’.

or, in the Windows search box type ‘ncpa.cpl’ and click on the ‘Control Panel Item’. Then,

• Right-click your VPN connection and open Properties.
• In the Networking tab, select Internet Protocol Version 4 (TCP/IPv4).
• Click Advanced.
• In the General tab, click Advanced.
• Disable Use default gateway on remote network.
• Restart your VPN connection.

System-wide VPN

• Right-click the Windows Start button and go to Network Connections.
• Scroll down to Network and Sharing Centre
• Setup a Connection or Network
• Connect to a workplace
• No, Create a new connection
• Use my Internet Connect (VPN)
• Enter server IP or FQDN, give it a name, and tick ‘allow other people to connect’.

That will create the VPN. You will need to manually set the type to L2TP, enter the PSK under ‘advanced’, and set authentication to MS-CHAPv2 by running ‘ncpa.cpl’ and editing the connection:

Split tunneling can be enabled the same way as described above.

—

Troubleshooting

VPN connections can be quite difficult to troubleshoot, mainly because Windows has no useful VPN logging or error messages. Draytek logging is OK but needs a bit of interpretation.

Remember that IPsec is established first, then L2TP establishes and PPP authenticates the user. We can make some deductions at the Windows end by watching the VPN connect. If the connection seems to wait for a long time before erroring, it is likely the IPsec negotiations that are failing. If you get as far as entering username/password then IPsec has succeeded.

A long wait with no error is likely that IPsec can’t even get going.

• Is the server IP or FQDN correct?
• Is IPsec enabled on the router in both the ‘Remote Access Control’ and on the user profile?
• Are packets sent from Windows even reaching the Draytek? (See ‘Checking the Draytek logs’, below)

The error message below is most likely the PSKs don’t match. It could also be that the proposals don’t match but this is unlikely as thet are pre-configured in both Draytek and Windows.

• Are you sure the PSK is correct at both ends?
• At the Windows end, is the VPN definitely L2TP with PSK (not with certificate)?

If you now get a username/password box, then IPsec has succeeded. Entering the correct username/password should move the negotiations on to the final stage – IP allocation. If you are repeatedly prompted for username/password, then it is likely to simply be incorrect username/password (or the account is not enabled).

–

Checking the Draytek logs

You may want to see evidence that the connection attempts making it to the Draytek, To check this, look at the logs in the Draytek:

• Diagnostics/Syslog Explorer
• ‘Web Syslog’ tab
• Tick ‘Enable web syslog’
• Syslog type: VPN
• Display mode: always record the new event (you will need to refresh regularly)

The log will look similar to this:

Try and connect. The first syslog message (at the bottom) will be ‘Responding to Main Mode from x.x.x.x’ where x.x.x.x is the Windows computer’s public IP address. This shows that the router has received the first packet from the Windows VPN connection, recognises it a an IPsec packet, and has responded by replying. Negotiations continue:

• ‘Matching General Setup key’ means the Draytek is checking PSKs
• ‘Accept Phase 1 proposal’ means PSK and proposals match. Phase 1 of IPsec negotiations has succeeded
• ‘Accept ESP proposal’ means that phase 2 has succeeded
• ‘IPsec SA established’ means that the IPsec part of the process has completed successfully

If, on first connect, you see a username/password box, then you know that IPsec part of the connection has succeeded. Negotiations continue – note that several lines have been removed from this trace (which has now been exported from Syslog to a .txt file):

• “L2TP <== Control’ is the start of L2TP negotiations
• Note ‘PPP Start’ and ‘CHAP login OK’
• Note the IPCP messages, where IP address is allocated
• Finally, ‘[H2L][UP]…’ Shows that the VPN user (AdrianB) is successfully connected.