2

UPDATE: Router error logs show:

LCP Time-out 0

I'm not sure how to correct this. The Lan-to-Lan profiles are set to -1 Idle Timeout (for the remote branch).

I have a PPTP VPN running between two Draytek 2820 routers. They are setup that one dials out to the other one.

Main Practice - 192.168.1.0/24
Branch        - 192.168.3.0/24

I have then set (on the Branch) router the following route:

192.168.1.0/24

If I then request a server running on 192.168.1.1 from the Branch, it correctly routes through VPN tunnel. If I request the branch server at 192.168.3.1 it correctly routes to the local server without using the VPN tunnel.

I have temporarily disabled the firewall on both routers, and made sure that QoS is disabled.

The Main Practice internet connection is ~30mb down / ~10mb up, and the Branch connection is ~5mb down / ~2mb up.

Anything over the VPN tunnel runs pretty slowly (VNC, Remote Desktop and Terminal Emulators). However, if I dial using the Windows VPN wizard, creating a connection from the laptop to the Main Practice - everything runs quickly.

I'm looking for possible causes, and/or ways of further diagnosing the issue. Any help would be greatly appreciated!

UPDATE: In summary, when I connect within the Branch and try and access a host that's within the Main Practice it works, but slowly. If I then dial the VPN on my Windows 7 laptop whilst still connected to the Branch network, it's fast.

Main Practice Main Practice Branch Practice Branch Practice

Routing Table from Branch Router

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*            0.0.0.0/ 0.0.0.0          via 126.256.126.103   WAN2
C~      192.168.1.99/ 255.255.255.255  directly connected   VPN-1
S~       192.168.1.0/ 255.255.255.0    via 192.168.1.99     VPN-1
S~       192.168.2.0/ 255.255.255.0    via 192.168.1.99     VPN-1
C~       192.168.3.0/ 255.255.255.0    directly connected    LAN2
C    126.256.126.103/ 255.255.255.224  directly connected    WAN2

Routing Table from Main Practice

Key: C - connected, S - static, R - RIP, * - default, ~ - private
*             0.0.0.0/         0.0.0.0 via 81.139.64.1,   WAN2
S        81.137.176.1/ 255.255.255.255 via 81.137.176.1,   WAN2
*         81.139.64.1/ 255.255.255.255 via 81.139.64.1,   WAN2
C~      192.168.1.204/ 255.255.255.255 is directly connected,    VPN
C~        192.168.1.0/   255.255.255.0 is directly connected,    LAN
S~        192.168.2.0/   255.255.255.0 via 192.168.1.204,    VPN
S~        192.168.3.0/   255.255.255.0 via 192.168.1.203,    VPN

Connection Details (from Branch Router)

Connection details from Branch Router

Connection Details (from Main Practice Router)

Connection details from Main Practice Router

IPERF.exe Output IPERF.exe output

If it helps, here is the output from the IPERF.exe server

IPERF.exe server

dannymcc
  • 2,677
  • 10
  • 46
  • 72
  • I'm not understanding the question or the problem. Could you rephrase the question? – joeqwerty Nov 10 '11 at 15:46
  • Sorry, hopefully it's clearer now? – dannymcc Nov 10 '11 at 15:54
  • fyi you don't need to specify the route manually as VPN remote subnets are added to the routing table anyway – BoyMars Nov 10 '11 at 16:06
  • also can you detail the options used in your lan-to-lan profile – BoyMars Nov 10 '11 at 16:08
  • I've added some screenshots of the lan-to-lan setups. I didn't realise I didn't have to explicitly set the routes. – dannymcc Nov 10 '11 at 16:21
  • aye the routing table is under Diagnostics, i'd imagine with the IPSec tunnel you are limited to a maximum connection speed of 2Mbps (since this is the lowest speed on both connections), but when you connect directly to the main router it has a considerably faster upload speed. you can verify the actual connection speed on the Connection Management page. – BoyMars Nov 10 '11 at 16:57
  • I've added the output of the routing table (from the Branch) and the connection management screenshot to my question. The routing table looks ok to me, no loops etc. that I can tell. – dannymcc Nov 10 '11 at 17:12
  • Can you post the output of the interfaces for both connections? – Rowell Nov 10 '11 at 17:22
  • @Rowell, do you mean show the connection management screen for the Main Practice aswell? – dannymcc Nov 10 '11 at 17:30
  • I've added the routing table and connection management details from the Main Practice router. – dannymcc Nov 10 '11 at 17:34
  • I was referring to more detailed interface stats. Are there any errors on the interfaces? – Rowell Nov 10 '11 at 19:02
  • @Rowell, sorry - I'm not sure where to find that information? – dannymcc Nov 10 '11 at 19:06
  • If it helps, the logs for the Branch router shows 'LCP Time-out 0' – dannymcc Nov 13 '11 at 03:06
  • OK, so we have a subjective assessment of VPN performance... could you run `iperf` over the tunnel and tell us what you get? – Skyhawk Nov 13 '11 at 04:22
  • I have added the iperf output to the original question. – dannymcc Nov 14 '11 at 09:47
  • A packet capture would help (to show dropped packets), but it may help to set the mtu of a two of the computers on both sides of the connection to 1400 to see if that helps. – Greg Askew Nov 13 '11 at 03:20
  • If I connect to the VPN of the Branch (from home) and then run Wireshark whilst connecting to the Main Practice server, would that be ok? – dannymcc Nov 13 '11 at 03:21
  • I think a capture from the main location and the branch is required. – Greg Askew Nov 13 '11 at 03:43
  • ok, I'll run Wireshark from the two locations as soon as possible. I will make sure I am requesting something from the 'other' location. – dannymcc Nov 13 '11 at 11:25
  • I've run Wireshark at the Main Practice for a short time - https://gist.github.com/1363547 – dannymcc Nov 14 '11 at 08:44
  • I've also run Wireshark at the Branch for a short time - https://gist.github.com/1363635 – dannymcc Nov 14 '11 at 09:53
  • Did you ever get this solved. I am having exact same issues and for the life of me can not sort out. – namit Aug 25 '14 at 20:28

1 Answers1

3

Your VPN connection uses MPPE encryption, but according to router's page http://www.draytek.co.uk/products/vigor2830.html - MPPE have no hardware support. Try to setup something else as encryption protocol (AES/DES/3DES). IMHO it is available only with L2TP protocol.

Eugene
  • 346
  • 1
  • 2
  • 1
    agreed, in this case try using an IPSec (AES) lan-to-lan profile instead of PPTP (uncheck the box for this on inbound) – BoyMars Nov 14 '11 at 13:02
  • It's looking likely that you've hit the nail on the head, I'll test some more and get back to you. Thanks! – dannymcc Nov 14 '11 at 14:26