VPN Tunnel to Draytek - Multiple subnets but only one Security Association created

Description

A VPN Tunnel to Draytek is going up with only one Security Association (SA) although there are many Local/Destination Networks so more SAs should be created.

Cause

It looks like Draytek does not fully support multiple phase 2 security associations for a single VPN Policy with the default settings.

Resolution

To fix this, the option "Create Phase 2 SA for each subnet" has to be enabled on the Draytek (Vigor) router:

Image

However, this may not work if you have the Perfect Forward Secrecy option disabled on the SonicWall. Please enable it from the configuration of the VPN Tunnel to the Draytek:

Image

For further details: Create multiple Phase 2 SA for IPsec tunnel to connect multiple subnets in one VPN profile

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
VPN
Firewalls
SonicWall SuperMassive 9000 Series
VPN
Firewalls
TZ Series
VPN
not finding your answers?
Ask the Community