IPSec VPN to Draytek Vigor2960

SHGTelonikaSupport · March 18, 2025, 3:16pm

I am struggling to get a LAN-to-LAN IPSec VPN to work, between RUTX11 and Draytek Vigor2960. As far as I can tell, the log-file indicates successful authentication and protocol phases, but fails with the following:
constraint check failed: identity ‘x.x.x.x’ (ID_IPV4_ADDR) required, not matched by ‘x.x.x.x’ (ID_FQDN)

Can anyone offer some pointers, please?

Martynas · March 19, 2025, 9:40am

Hello,

The logs indicate a mismatch in how the devices identify themselves during the IPSec negotiation. To troubleshoot this, please check the following:

Does one of the endpoints have a public IP address? Ensure that the remote endpoint configuration on RUTX11 correctly specifies the public IP address or domain of the Vigor2960 (if applicable).
Check the Remote ID type on Vigor2960. The Remote ID on the Vigor2960 should be set to the public WAN IP address of RUTX11, rather than an FQDN, to match the identity type.
Verify the local and remote subnets. Double-check that both devices have correctly configured local and remote subnets that match each other.
If possible, provide any additional logs; presuming the issue persists, restart the IPSec tunnel on both devices and share logs from the RUTX11 side.

Best regards,

SHGTelonikaSupport · March 19, 2025, 10:39am

Good morning.
The RUTX11 is on a 4G mobile connection, so CG-NAT applies.
The Draytek Vigor 2960 has a public IP-address, which was specified as it’s local-ID.
I think I’ve tried most of your suggestions, but would be glad to share a full log-file if you think you can help?

system · May 17, 2025, 3:17pm

This topic was automatically closed after 60 days. New replies are no longer allowed.