iPhone IOS, iPad or Mac OSX to DrayTek Vigor 2860 or 3900 via VPN Connection

The newer Mac and IOS versions no longer support the Microsoft PPTP versions and so connecting to your office or home has become more difficult unless you are using MAC OSX Server or similar. Here we are going to go over how to connect your IOS or OSX device to your DrayTek router so that you can use your local LAN or browse the internet as if you were back at home.

If you are looking for a service to connect you to the UK for internet browsing whilst abroad, please feel free to enquire about our UK VPN dial-in services.

First of all log in to your router control panel as normal, in this case we are looking at a 3900, but the 2860 is the same:

Firstly, we are using an L2TP over IPSec connection in this instance, so let's make sure that the services are being supported. Go to VPN and Remote Access and then Remote Access Control and make sure that the L2TP and IPSec services are enabled, as below:

Next we need to set-up the IPSec pre-shared secret. To do this we go to IPSec General Setup and enter the shared secret that all of the IPSec sial-in users will need to have:

In this example we are leaving the incoming internet port as WAN1 and the internal network DHCP profile as LAN1 but you should configure these as appropriate for your network.

Now if you are using the router's DHCP services then you can skip the next step but in this example the 3900 is part of a Windows server network and the servers provide DHCP and so we are going to configure the router to pass on the DHCP from the server as the users will need to access the server network remotely. To this end we go to PPP General Setup and click the L2TP tab at the top:

From the above I am selecting to enable DHCP and choosing the DHCP Server Location as LAN1 as it is in this case. I then enter the DHCP Server IP Address with the Windows Server providing the DHCP services. 

Go to User Management and then User Profiles and select Add:

Enter the details of the user and click the tick box to enable the VPN. Scroll down to the PPTP/L2TP/SSL section and enable L2TP Dial-in for this user and then click Apply:

Now you can set-up your IOS or OSX Apple clients:

Go to Settings then General and select VPN and Add new VPN configuration:

Change the VPN type to L2TP: 

Now enter the details you entered for the VPN user:

Once you have entered the details, click Done.

Now go back to the settings page, find the VPN option and click the slider on the right to start the VPN:

Once the VPN has connected you will be able to see the VPN icon at the top of your screen:

DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN

There are two main points to bear in mind when configuring the dynamic IP address connections to a static Vigor. The first is that you need to configure the IPsec shared key in two places on the static host DrayTek Vigor VPN router. Firstly under IPSec General Set-up (which is the same place as you configure the IPSec key for L2TP) and then under the VPN Profiles (or LAN to LAN if it is an older model.)

Lets configure the DrayTek Vigor 3900 static IP host router first:

Go to IPSec General Setup:

Enter the IPSec shared key you are going to use for your VPN, or if you are already using that shared key for other connections, look up what you are using and make a not of it as we will need to enter that shared key again shortly.

Now go to VPN Profiles and we will configure the IPSec specifics for the host static end of the VPN. To continue, click Add to open a new profile window and choose an IPSec VPN. Leave the 'For remote dial-in user' selection at disabled.

So in the above we use the wan port that the external IP being targeted by the other VPN router.

The local IP/Subnet mask is the IP range used by the internal network of the 3900 with the static external IP. In this case we are using a class C subnet of 192.168.x.0

The local next hop is left as the default to use the wan1 default gateway (in the above we are using wan1 but as stated you must use the external IP that the 2830 is pointed towards)

The remote host remains at 0.0.0.0 as the remote Vigor 2830 is on a static IP

The remote network mask is the internal IP LAN subnet of the 2830 with a dynamic WAN address - in this case we are using another 192.168.x.0 address

For the IKE phase 1 we will stick with Main Mode

The authentication type we will leave as PSK - Pre-Shared Key

The pre-shared key we entered earlier we enter again here...

The security protocol we are choosing is encrypted and so we select ESP

Now we move onto the Advanced tab:

We are sticking with the default time-outs for DrayTek Routers.

We are selecting Perfect Forward Secrecy to be enabled (PFS)

Dead peer detection can be enabled to allow for VPNs to be picked up again quickly after a brief connectivity issue.

Route/NAT mode should be: Route

Apply NAT policy should be: Disable

NetBIOS naming packets in this case I am selecting: Enable as this will allow ICMP traffic for Windows client/server communications to behave as if on the same network. 

Multicast via VPN we will leave: Disabled

RIP via VPN we will leave: Disabled to simplify getting the VPN up and running - you may wish to enable this at each end afterwards for router discovery.

Now we proceed to the Proposal Tab as we are not enabling GRE in this example:

Now we configure the encryption methods:

We are using AES G5 (Group 5) and AES with authentication as above and leaving the other options as accept all to bring the VPN up reliably and quickly.

To enable compatibility with the 2830 we are sticking to Group 5 but if you are using a 2860 you can use Group 14 (G14) instead as long as you match both ends.

Once all of this has been entered we can click Apply and await the router to confirm that it has accepted our VPN details...

Now we configure the 2830

In this example we are going to stick with using the LAN to LAN or VPN profiles tab as not all models have the VPN client and server wizard options, but either method will work as long as you get all of the encryption, LAN and endpoint data correct:

Below we have already gone to VPN>LAN to LAN and clicked on a profile number to start entering the data:

Give your profile a name and tick the box to enable it.

On this router we are using WAN 2 as it is behind another router (and yes it will still work with or without passthru as this is a dial out only configuration from the dynamic end. There is no point trying to dial back to a router you do not know the WAN IP address of.)

We are selecting the VPN type as Dial-Out only. If you wish the VPN to allow for full time connection so that you can access the remote computers then be sure to tick 'Always On' and Enable Ping to Keep Alive and use the IP address of the remote router LAN port on the other internal network (in this case the LAN port IP of the Vigor 3900.) This will basically make the VPN permanent allowing you to easily administer the computers at the dynamic WAN IP site where the 2830 is located.

Once again we are enabling the NetBIOS packets tick box.

Multicast via VPN is disabled again.

We enter the Vigor 3900 WAN IP/Host name in the server IP/Host Name box.

Click the IKE Pre-Shared and enter the same Pre-Shared key as before and click OK

Leave the dial in boxes empty as nothing can dial into a dynamic WAN router.

Do not specify the other end of the VPN as it is a dynamic IP address.

Leave the IKE authentication box as it is as there is no dial in IKE

My WAN IP should remain 0.0.0.0

The remote VPN gateway is the WAN IP of the 3900 static IP router

The remote Network IP is the subnet of the remote 3900 static IP router, in this case 192.168.x.0 and the remote network mask is a class C of 255.255.255.0 in this case which is the LAN subnet of the 3900

The Local Network IP is the LAN subnet of the router you are configuring and the subnet is once again a class C of 255.255.255.0

We are leaving RIP as disabled and Route as the method of traversal between subnets.

Now we can click OK and go to the VPN connection management page to see how our VPN is getting on:

On the 2830 the HQ VPN has come up and will stay up as we have configured 'always on' and 'ping to remote IP' meaning that when the IP changes at the 2830 WAN it will pickup and stay up allowing us to configure the remote router and PCs securely if we wish.

Now on the 3900 status we see:

Where the VPN is showing happily at the other end also proving that the VPN is encrypting data and sending and receiving successfully.

Buy the DrayTek Vigor 2860

Buy the DrayTek Vigor 3900

DrayTek Vigor 2860 to 3900 IPSec VPN

This example is useful when connecting a VDSL/FTTC satellite office (with a Vigor 2862/2860) to a Dedicated Ethernet Fibre (Vigor 2960/3900) Hub Office with a secure IPSec VPN. Both offices have a static IP in this example and are available for us to configure at the same time...

Firstly we shall configure the hub Vigor 3900 router at the hub office endpoint for the satellite office to connect to.

Firstly login as normal to see the home screen:

Now go to VPN and Remote Access and choose VPN Server Wizard and select IPSec as your VPN type:

Click to select creating a new VPN profile, choose a name - I have called this one HubOffice -  and click next:

Now we are going to enter the VPN specific information to allow our satellite office to connect:

• Tick the Enable box to enable the VPN
• Choose the WAN port you are using for the internet connection that will carry the VPN and for which we will be using the external IP address of
• Enter the local subnet - this is not provided automatically so enter your local subnet that the satellite office is being provided access to - this may well be the subnet you are using
• Leave the next hop as 0.0.0.0
• The remote host is the external WAN IP of the satellite office Vigor 2860
• The remote host IP/subnet mask is the internal LAN subnet of the Vigor 2860 LAN
• If there are any other subnets hung of the back of the Satellite office - if it is a hub in itself - then you can add the extra subnets here but this can often be a hinderence in getting the VPN to come up so we shall leave it blank for now.
• Auth type is PSK for passphrase/shared secret that we will enter momentarily
• Pre-shared key - enter a long string that you have made a note of, as it is to be entered in the 2860 router later
• Security protocol - leave at ESP
• We are leaving the DPD delay and timeout boxes as default

Click finish to complete the setup...

You will be asked if you wish to proceed to the VPN status page and that is what we shall do:

Now we shall proceed to configure the 2860 which has a pretty much identical interface:

We won't use the VPN Client Wizard so that you can see all of the steps, we will configure the VP manually, click VPN and Remote Access > LAN to LAN:

then select a number corresponding to the profile you wish to configure:

• First tick the Enable box to enable the profile
• Give the profile a name
• Choose the WAN1 interface for the VDSL interface if that is what you are using for the VPN external WAN IP address
• Click the pass NetBIOS box to allow ICMP traffic between the offices
• Leave Multicast blocked
• To the right of that leave the call direction as Both
• Below to the left select IPSec as the VPN type
• Below that, enter the IP address or A record host name of the hub office Vigor 3900 WAN
• To the right, click on the IKE Pre-Shared Key button and enter the key as you entered it into the DrayTek Vigor 3900:

• Now below that enter the IPsec method as High(ESP) AES with Authentication, then click the advanced button
• Click the option to enable PFS - perfect forward secrecy

• Leave the other timeouts as they are and click OK
• Tick the box Specify Remote VPN Gateway and enter the 3900 WAN IP address
• Leave the GRE settings as blank and proceed to the bottom section 5.

• Enter the DrayTek Vigor 2860 WAN IP in the first box
• Enter the DrayTek Vigor 3900 WAN IP in the second box
• Enter the DrayTek Vigor 3900 LAN IP network address in the third box
• Enter the DrayTek Vigor 3900 LAN subnet in the fourth box
• Enter the DrayTek Vigor 2860 LAN network address in the fifth box
• Enter the DrayTek Vigor 2860 LAN subnet in the final box
• Leave the RIP settings as they are.

Now you should be able to go to the connection status on either router and see that the connection is live and be able to ping the other office from each respectively...

Buy the DrayTek Vigor 2860

Buy the DrayTek Vigor 3900

DrayTek Vigor 2830/2860 to 3300/V/+ router IPSec VPN

This example is for an environment with a static IP at each office.

Firstly let us set-up the 3300 head office router:

After logging in, go to the VPN menu, then to IPSec and then to 'Policy Table'

In this example we are going to use AES encryption with authentication for the maximum security available.

Firstly we enable the profile.

We name the profile something that explains the VPN and then we choose preshared key, which in this example is our preferred security key. Our security protocol will be ESP and we choose NAT Traversal to be enabled. In this example I am not enabling NetBIOS but if you are adding a VPN to extend a Windows domain then you should choose Pass here.

As we are connecting to another DrayTek device we are not going to change the default time-outs but if you do, they must be mirrored at the other end to enable the VPN. We will change the security settings though as we wish to ensure AES256-sha1 encryption and authentication.

We are ticking the PFS Perfect Forward Secrecy box also:

Now we can click Apply and configure the DrayTek Vigor 2830/2860...

Under the VPN menu, go to Lan to LAN to set-up your connection to the DrayTek 3300

Click the number corresponding to the first available unused profile...

Now we are going to enter the details required to connect to the 3300 router:

We are once again giving it a name relevant to the connection. In this case we are connecting through WAN2 but you can choose WAN1 if you are using ADSL/VDSL

NetBIOS should be enabled/disabled depending on whether you are allowing file access to Windows machines across the VPN. In most cases with Windows machines you would pass NetBIOS packets.

The call direction is set to Both to allow either end to start the VPN.

Under Dial-Out settings we set the VPN type to IPSec once again.

We enter the domain name/ip address of the external interface of the other 3300 router in the box below.

We now tick the Pre-Share Key box to the right and click the Pre-Shared Key button to enter the same key as we entered into the 3300 Pre-Shared Key box.

Below that we select the High(ESP) option and choose AES with Authentication as we did on the 3300

Now click the Advanced Box:

We are mirroring the settings from the 3300 here so we choose the AES256-SHA1_G5 for phase one and AES-256 for the phase two proposal.

Once again we select the Perfect Forward Secret option and the timeouts are already consistent.

Click OK when done.

Now under IPSec security method, tick only the AES box and then enter the IP address details at the bottom of the page:

We enter the external IP of the 2860/2830 first in the My WAN IP box.

Enter the remote 3300 router external interface address in Remote Gateway IP addres box.

Then enter the remote DrayTek 3300 internal network subnet details in the two boxes below that.

Finally enter the DrayTek 2860/2830 local network subnet details in the two boxes below that.

Click OK when done.

Now under VPN and Remote Access on the 2860/2830 you should see the connection as live:

Buy DrayTek routers here 

PC and Computer Components Explained

The Motherboard. This is the backbone of your computer system. All of the data connections (busses) between all of the components are embedded into the Motherboard and it is where you insert or plug all of the peripherals, cards, the processor and the memory. The motherboard hold the BIOS - the Basic In/Out System which is the onboard software which allows the hardware to be managed and to identify itself to the Operating System.

The RAM - Random Access Memory. This is the middle-man between the Hard Disk Where everything is stored, and the CPU, where all the work is done. It is much faster to read and write to than a Hard Disk because it has no moving parts and so can move as fast as the micro transistors can. It is where all of the tasks that your computer is currently dealing with are being stored and these tasks will be reporting back to the Hard Disk to file the results or to seek further information from archived files.

The Hard Disk Drive or HDD is the filing cabinet for all of the information on your computer. Here is kept your Operating System, Your Applications and all of your Data. Everything that makes your computer different from the day it was installed is remembered and altered in the Hard Disks' file system. The Hard Disk is a magnetic storage device that is changed by electro-magnetic forces, but retains its information when left without power even for long periods - just like a magnet.

The Operating System is the software base that is loaded onto your computer which allows all of your applications to understand how to use the peripherals like the processor, memory, keyboard and monitor, and so makes it possible for you, as the user, to manipulate and interact with the system. The Operating System or OS is the fundamental building block of software that understands all of your actions and without it, your computer cannot understand anything you tell it.

The Output Devices make up all of the equipment which allow us to experience the incredible power computers have come to hold over us all. Monitors (Pictured) Soundcards, Network Cards, Projectors are all examples, and there are many more. Any means of us interpreting or communicating the results of a computation are reliant upon being told what the result is and this can only be done by the computer controlling an output device in a way suitable for us to understand.

The Processor or CPU (Central Processing Unit) does lots of the real work that your computer is asked to do. It is the core of the computer being on the fastest part of the Bus and processing every job loaded from the memory or hard disk. The memory will be on a part of the system bus that will be a fraction of the speed of the processor bus but that may be faster than the rest of the bus, this core part of the bus is often called a Front Side Bus or FSB and can be upwards in speed of 800MHz. Increasingly many components of the computer incorporate their own CPU such as Video Display and Sound Cards so that the PC is slowly creeping toward being given a processor for each task. The latest CPUs from AMD and Intel are twin-core which means that they are really two processors sharing a single bus connection or a single cache which is the memory where the data is stored on which the actual processing is being carried out. The one pictured has a water-cooling system.

The Power Supply is from where the whole system draws its power. The Hard Disk, The DVD/CD reader/writers, sound and video display cards and the motherboard itself all draw current in order to function from the power supply. Usually the power supply is hard fixed to the back of the computer casing and is where you connect the 'Kettle Plug' before switching on. The power supply is then connected to all of the disks and other other 'off-board' components (the Hard disk and DVD/CD readers etc do not connect to the Motherboard for power, they are directly connected to the Power Supply) and the Motherboard. The Motherboard also connects the Power Supply to the on/off switch so that the system all begins taking power at the same time - the switch is connected from the case to the Motherboard to the Power Supply-.

HP DL360 G7 Red Screen of Death Illegal OpCode

This is a fairly disturbing occurrence - when your server, instead of booting-up, just after one recommended update or a fist time reboot after install you receive a bright red screen explaining that the server feels it has done enough and will proceed no further. Not great news if you have a lot of users awaiting emails or database results and even worse if you've never seen it before.

Well this error can be related to a few problems related to running various forms of Linux on SD card drives but it can also affect those of us just running plain old Windows Server on the inbuilt 410i RAID controller.

In essence the message means that it is unable to read the boot device and so has thrown an HP level issue instead of a standard Windows or BIOS error.

I have found this problem in connection with the following:

• Installing using iLO3 with a network accessed ISO file and then rebooting for the first time
• Installing a recommended update to the NICs that made the whole server BSOD and then reboot into this and so we had to fix the error to find out that the DB was intact
• Updating BIOS for the motherboard that has somehow disabled the USB boot in the BIOS and so lost the SD card boot device (which I was using on that occassion)
• Installed the Windows iLO3 drivers which then somehow told Windows, because there was an ISO listed in the ILO3 boot-up system, that Windows was not the boot device

In order to fix these issues you should:

1. Update the iLO3 firmware as there is a fix in the latest versions (allegedly) but I have found this unreliable
2. Disable the iLO if this fails at boot-up
3. Change the boot order in BIOS so that your boot device is first and then:
4. Boot from a Windows DVD and ensure you can see the boot volume and then use the inbuilt repair (this seems to be the best solution for Windows installs)

If all the above fails you can just try unplugging all the PSUs for ten minutes as this is a recommended solution from HP but only for the G8 servers. 

Good luck with a really distressing and fairly futile error screen.

Oi Windows 10, give me back my PC !!!!

If you are, like me, a very boring web user who doesn't go to many unknown websites or watch lots of unsubscribed videos etc. then you might be feeling a little annoyed with the new 'compulsory real-time monitor' arrangement that Windows 10 suffers from. It is, of course, a sign that your computer hard disk drive is now performing two or three times the work for many operations compared to how it was functioning on Windows 7. Real-time scanning (as the word real-time is supposed to explain) means that every file your computer needs to open is examined in advance by a proprietary process before the system comes into contact with it. Now there are two reasons why I don't like this thinking. The first is the obvious performance problem (and whether that wastes more time, energy and money than all the viruses in the world put together is another question.) The second is that Windows 10 downloads so many updates of such unbelievable magnitude that they kill the performance of your machine and the internet and so what is the point of Windows Defender anyway? This is further compounded by the fact that Windows Update, like Windows Defender, now appears to be compulsory.

OK so let’ shave a look at all of the components and how we can disable them as Microsoft have recently started to run scheduled tasks to make sure that the most performance hungry Windows processes are restarted and re-enabled at regular intervals such as Sharepoint Sync in Microsoft Office and Defender in Windows 10.

So we will begin by using the simplest and safest way to disable the Windows Defender Components, using the registry editor.

If you press the Windows key and type 'regedit' and press enter you will be presented with the registry editor and you will need to navigate to the following area:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

This means that under HKEY_LOCAL_MACHINE you expand the folders (called keys in registry editor, even though they lok the same - they are not folders, they are completely different - )

When you find the correct key, you highlight it on the left and then right click on the right hand side, below the (Default) value and select New > DWORD (32-bit) Value 

Give the DWORD the name DisableAntiSpyWare and once it has been created, double click the DWORD and enter the value '1' and press OK so that you have the below:

Now let's try restarting Windows 10....

OK so according to the above view from the taskbar, the Windows Defender application is not running. Let's have a check under the services running by clikcing the start buton and typing services.msc. 

OK excellent, the service has been stopped and is now set to manual. This is going to speed us up nicely. But now how do we stop the automatic updates from hogging all of the bandwidth and disk speed?

Well there are many sites telling me to use metered connections or policies to disable this function, but the Windows update feature can be disabled by opening up the services.msc applet and disabling the service by finding it as follows:

NB This service has already been disabled but your will not have been.

Now double-click the update service and choose the start-up type:

Once it is set to disabled then click OK to confirm.

Now we are back in control of our Windows 10 PC and our Ineternet connection, RAM, Hard Disk and CPU are all our own again.

When it comes to backup and restore on Windows 10 the default is to backup your disk every hour which is a pretty surefire way to ruin your backup disk, internal disk and electricity bill. You can obviously backup your files manually but an easy option is to create a shortcut on your desktop that will backup your files to your external hard disk so that you can simply copy them back if you lose your laptop or restore individual files if you lose or accidentally delete files.

If you wish to run the backup one time, you can by using the following:

If you run the following command by pressing [windows key] + R

Then paste in the code but substitute the drive letter of your external drive as appropriate:

xcopy "%userprofile%\*.*" [drive letter]:\profilebackup\ /c /s /r /d /y /i

And leave the colon in place but not the square brackets.

This will copy all of the files in your user profile into a folder called profilebackup onto the external drive from pictures and desktop, documents etc.

Or you can make a shortcut on your desktop as follows:

1. Minimise all your applications down to the task bar to get your desktop clear.
2. Right click on your desktop and choose 'create shortcut'

       3. Enter the command line once you have entered the drive letter:

      4. Name the shortcut something you will remember to run regularly:

      5. Click finish and you're done.

You now have a shortcut that you can use to backup anytime - just remember to plug in the external hard disk first.

AllDay Time Manager server service keeps stopping on Windows XP

A client has been using the AllDay Time Manager system for some time now and it has worked reasonably well for them - they have a palm reader in their office that everyone clocks-in and out with and the software sits on a 32bit x86 Windows XP SP3 machine as the software does not run on a x64 machine and that is all there was left.

The system has a software client and a database that are installed on the same machine - the database is a n SQL 2008 database that has an application service that runs on top and forwards the data to port 5000 for the software client to connect to.

All of a sudden the service has begun to cease during the day and shuts down with no apparent messages in the Event Log.

Examining the database and application settings give the following details:

All Day Time Manager is a software that runs in several different parts.

First of all there is the data living on your palm reader/clock-in/out machine that is polled by the software on your desktop machine. The desktop application queries the machine and then writes that data to the server application, which in turn writes data into thew SQL database on the server computer.

So there are three levels to the application:

1. Desktop App
2. All day server
3. SQL server DB

All data from either the PC or the clock-in machine start at the top and descend to the database where the information is stored long term for reporting etc. The All Day server then queries the SQL server for the information and provides it to the client machines, usually over TCP port 5000.

There are two points of configuration for the AllDay server - the configuration file ServiceApp.exe.config at:

C:\Program Files\Allday Time Systems Ltd\ATM System\Server

And the configuration available by right clicking the red icon (red when the AllDay NT service is not running) and choosing 'configure database login'

When we moved our database we have to configure this part of the App as follows:

Server: new SQL %computername%
Instance: same as computername
Database: ATSM
User: ATSMUser
PW: ********

The config file we adjusted to be:

<add key="hibernate.connection.connection_string" value="Server=SERVERNAME;initial catalog=ATSM;User=ATSMUser;Pwd=********;Min Pool Size=2"/>

We could then start the service and the desktop application which displayed the SQL server path in the bottom right hand corner as it began and so we knew that we had successfully moved the DB.

The All-Day Time Manager Service is dependent on having a good connection to the ATSM database. By default the database is store locally on the machine installed as the server in an instance called ./ATSM

There is a default user called ATSM user and there is a default password that we shall leave alone for this post.

To move the database you must use the SQL management studio to backup the SQL database. You can download the studio easily enough from the web and install onto the server computer or use the studio manager on a different computer.

The database is typically installed in a path such as:

C:\Program Files\Allday Time Systems Ltd\ATM Data\MSSQL10.ATSM\MSSQL\DATA

Once you have a backup of the database you can restore to another PC using the wizard in studio manager and keep the name the same - ATSM

If you are restoring the database to a default instance as we were, then you will need to choose the machine name as the instance name - such as servername\servername.

As for what was causing the service to stop, well we believe it was either the application losing connectivity or the XP machine just getting too long in the tooth.