My customer had purchased the latest Draytek Vigor 2830 as this is the replacement for the 2820's that I have previously used. The hardware looks identical and at first glance the firmware also looks the same. Upon further investigation it soon became clear that the firmware has a few extra features and the IPsec VPN configuration is a little different but nothing major.

I took a 2830 away to configure in my office as I could connect it to my own DSL service and test the router and the VPN connection. The customer used my existing IPsec VPN configuration documentation as a template and soon had their firewall configured and ready for my router to connect to it.

Yet despite my best efforts I could not get the test router to connect to the firewall. After several hours and lots of checking I decided to contact one of my working sites to see if I could get a connection to their system. Doing this would allow me to pinpoint if it was an issue with the configuration on the Draytek Vigor 2830 or the firewall configuration. I really expected it to be a firewall issue as the Draytek Vigor router was using a configuration I already knew was working at many other locations.

I added a new IPsec VPN configuration for an existing site and tried to get a connection but again it failed. Although disappointing at least I now knew that I had some sort of issue with the 2830 as the 2820's this customer has were all working correctly. I went through the configuration very carefully but could not find anything that was different to that being used on the 2820's yet mine would not connect.

Then in a moment of desperation I went through all the other options available for the VPN configuration and came across the IPsec General Set-up page. Now I have never used this page on the 2820 as it refers to a Dial-In VPN and all of mine are Dial-Out. Neither had I needed to mention it in my 100 page plus documentation that I have supplied to several customers. They use the documentation to configure their own Draytek Vigor routers so I know it works.

I even checked with my working site that have the 2820's and they have never ever used the settings on this page for the same reason that I do not touch it. Still, nothing was working so I had nothing to lose by trying it. I noticed that it had a setting for the IPsec security method and this was ticked. So I removed the tick and clicked on the OK button. Doing that resulted in the following error message appearing:

'The dial in Pre-shared Key hasn't been set yet.'

Notice that it says that it is the Dial-In PSK and I am not using a Dial-In VPN, it is not even configured, so this should not be necessary. However, the only way to remove the error was to put something into the PSK field. So I used the same PSK as that configured for my IPsec VPN. Now the device was happy and it allowed me to save my settings.

I tried to initiate a VPN connection again and this time it connected. Argh . . .

I soon realised that something was very very wrong. The 2830 can support a lot of VPN configurations and yet this Dial-In PSK can only hold one code. So it was impossible for this to be causing my problem. Yet it clearly was having an effect because now my VPN worked. Time to find out just what was happening.

I went back into the PSK field and this time I changed it from the customers PSK to the word 'Madness' and saved the setting. Yet again my VPN connected without any issue. Now at least I knew that the content of this PSK field was definitely not being used in my VPN configuration. So why did it need something in this field to work?

I also realised that I had unticked an option so I decided to go back and tick it to see if that stopped my VPN from connecting. It did not. So now it really looked like my VPN was connecting simply because I had put the word Madness into the IPsec General Set-up page PSK field. Of course it could be any word and at that time I could think of a few I wanted to use.

Only one test left and that was to do a factory reset and try the test again without putting anything into the IPsec General Set-up page.

I did a factory reboot so I had a clean router. I then redid the specified ADSL settings and all was well. I did the LAN IP settings and all was well. I then followed my own instructions to create the new VPN that I know did work and all was not well. It would not connect to the firewall.

So I went to the IPsec General Set-up page and entered 'Madness' twice as you must confirm the PSK and then the router was happy. Of course this is not the PSK so it should not work but guess what?

Yes you guessed correctly.

The VPN then connected without any trouble.

So it seems that you will not be able to get a Dial-Out IPsec VPN to connect unless and until you put something, anything, into the Dial-In PSK field. Now that really is as mad as a box of frogs.

I did contact Draytek support to report this issue as well as putting it here on my web site to save other poor sods from wasting many hours trying to figure this out.