DrayTek 2860 to Watchguard IPSec VPN

DrayTek 2860 to Watchguard IPSec VPN

In this document we are going to progresss through the stages of setting up an IPV4 IPSec VPN between two office sites to allow interconnectivity as if they were on the same LAN.

First of all let us quickly get a few points straight so that the configuration goes smoothly.

A VPN works by the agreed shared secret or certificate being consistent at both ends and (in the case of the certificates) being matched to the correct hostname or IP address. A VPN also relies heavily on keys remaining in sync with the key exchange beween the endpoints and so you must be sure to configure identical phase one and two details for all of the endpoints.

With this in mind let me make it clear that the Fireboxes come with 8 hours lifetimes for keys in both phase one and two so we will stick to that in this example by altering the DrayTek to be the same. In most cases you will need to plan phase one and two in advance and ensure that the settings are identical on all the endpoints involved in the VPN.

Let's start with the Watchguard FireBox; I am usuing the Watchguard System Manager software to configure in this case but the web configurator works just as well.

Firstly we login to get started.

Watchguard System Manager  Software 


Now use the Policy Manager button to open the Policy Manager:


Watchguard Policy Manager


Go to the VPN menu and 


Watchguard Create New Tunnel Dialogue

Server Security Alert Delete Request !!! Spam Warning

Server Security Alert Delete Request !!! Spam Warning

This spam email has been received by some people this morning and earlier this week...




From:                     []

Sent:                               17 September 2018 21:02

To:                                   recipient

Subject:                  Server Security Alert: Delete Request !!!





Dear recipient,

Our record indicates that you recently made a request to shutdown your email and this request will be processed shortly today.

If this request was made accidentally and you have no knowledge of it, you are advised to upgrade to cancel the request now



However, if you DO NOT cancel this request, your account will be shutdown and all your email data on the server will be lost permanently.

Regards. Email Administrator®


This message is auto-generated from E-mail security server.
This email is meant for: 




The actual 'cancel server deactivation' link points to: which is a live site with a valid security certificate.

The webpage looks real enough:


server security alert delete request

The spammer page appears to just keep asking you for the password - I think it actually tries to verify thr login against your email whilst you wait - so be very careful with this site.

This is another wordpress compromised by a certain Bangladeshi hacker looking to retrieve passwords and subsequently blackmail people or steal from them. He leaves his name on the wordpress site after hacking:


Sid Gifari Bangladeshi Wordpress Hacker


Report this website as phishing.

Report the orignating email address as a spam source.

Stay Safe!!

Sonicwall NSA-250M Set-up and IPSec VPN Connection to DrayTek Vigor 3900

Sonicwall NSA-250M Set-up and IPSec VPN Connection to DrayTek Vigor 3900 

 Firstly, to set-up the Sonicwall NSA 250M we must set our IP address to connect to the routers address of

We are using Windows 7 in this example and so we find our network icon on the Windows Taskbar at the bottom of the screen, right click and select Network and Sharing Center to take us to our network settings:


Network and Sharing Centre


Our wireless network in the above example does not connect us to the NSA 250M - we are plugging straight in to the firewall and so we click on Local Area Connection which signifies our cable connection to the firewall.

Local Area Connection Status


Currently we have no network access and this is expected as the Sonciwall is currently set at and the DHCP server on the device is disabled.

Now click on the highlight Properties button to enter the configuration section for the network protocols:


Local Area Connection Properties


We ened to configure a static IPv4 address and so we double click the above Internet Protocol Version 4 (IPv4) item to enter the IP addres configuration section:


IPv4 address configuration


Change the above options to be Use the following IP address and enter the IP we will be using which needs to be in the same Class C subnet as the Sonicwall firewall. In my case I am choosing



There is no need to enter a default gateway or anything else as this is just a temporary state for the network card.

You wil see that the status for the conncetion now displays the new IP address:


Sonicwall IP assignment


Press the OK button and we should now be able to ping

If you cannot ping then try resetting the firewall again with a 10 second hold of the reset button with a pen or similar to ensure the firewall is back in its's default state.


We should now be able to browse to to enter the web configurator of the Sonicwall NSA 250M, the user is admin and the password is blank. As soon as you gain access you be asked to change the password:


Sonicwall web interface change password


Enter a new password in the two boxes to set security for your device - make it a good one if you intend to allow external HTTPS access...


Sonicwall changing password


 Now we set the appropriate time-zone:


Sonicwall set time-zone


Next we configure the USB ports:


Sonicwall modem set-up


Which we will configure later...


Sonicwall modem configure later


Now we must select the WAN mode, in this case the sonicwall is plugged into a dedicated fibre router that broadcasts DHCP and so we will select the appropriate mode below:


Sonicwall WAN


Now set your WAN response level - do you want ping or HTTPS responses to be met - most cases you would just want PING but I am choosing HTTPS  to ease along the VPN setup-.


Sonicwall allow HTTPS administration


As you can see we are being warned about the security of this idea - it is a bad option, especially if you only have one IP address as it prevents hosting a web server.

Now we can set the LAN IP and subnet:


Sonicwall LAN set-up

Sonicwall DHCP config.


In the above we are stting the DHCP server on the firewall. The DHCP server is a decent version but you may wish to use Linux or Windows DHCP service instead, in which case you can disable this later or leave it disabled.

Now we move on to the ports assignment page:


Sonicwall ports assignment


The above simply means that we are keeping the default option of XO being our trusted LAN port and X1 being our first WAN untrusted port.

We can now review all of our choices in the summary section:


Sonicwall Configuration Summary


In the above I have blanked out the IP addresses as they are in use but you can see the options that were chosen clearly.


Now the device will reset and our PC or laptop will lose connctivity.


Sonicwall set-up wizard complete


If you have enabled the DHCP server on the firewall we can now return our laptop to its deafult IP setting:

Return to the network and sharing centre:


Network and Sharing Centre


Click the Local Area Connection link and choose properties, then double click the IPv4 item to get to your IP address settings:


Local Area Connection Status           IPv4 Properties


Return the IP address assignment to automatic as in the below:


IP address auto-assignment


Now when you have rebooted the firewall, the laptop will gain an IP from the Sonicwall DHCP server if enabled. Otherwise you will need to manually set the IP address as you did before but with an IP address in the new subnet which you have just allocated for the Sonicwall.

you should now be able to browse the web using the local area conncetion via the Sonicwall.


Setting the VPN on the Sonicwall

Now that the Sonicwall is online and meeting with internet traffic we can begin the set-up of the IPSec VPN.

Log into the firewall and head down to the VPN settings page:


Sonicwall VPN Settings Page


There are some default policies already but we are creating a new policy so lcick the Add button:

Add VPN Policy Sonicwall


So in the above we are entering our VPN network details. Firstly we enter the type which we will leave as Site-to-Site

The authentication method can remain as IKE using Preshared Secret

The Name can be what you wish to help you identify the VPN

In this case we enter the Ipsec Primary Gateway Name or Address as the WAN IP address of the DrayTek 3900 we are connecting to.

The secondary we are leaving as this is not a VPN equipped with redundancy.

In the shared secret we enter outr preshared secret which should be a randomly generated string that you must enter precisely into both devicesa at either end of the VPN

The local IKE ID will be left as IP addresses and you can leave the corresponding boxes blank to use the default IP addresses which we will do in this case.

Now we mov on to the Network setcion:


VPN network page Sonicwall


We are using the subnet of the LAN port in the above and the easiest way to choose this without adding any other networks that might disuade the DrayTek from allowing the connection is to choose the subnet attached to just the LAN port X0

We create a new subnet from the drop down which has already been performed in the above. We are presented wih the new remote subnet dialogue:


Sonicwall create remote VPN subnet


In the above we enter the LAN segment behind the DrayTek to which we are trying to gain access. This will be the network made available to us through the Sonicwall-DrayTek VPN tunnel.

Click OK to return to the previous dialog and then progress to the Proposals tab:


Sonicwall-DrayTek VPN Proposals


In the above we are matching the Sonicwall to the default DrayTek 3900 proposals which means we are using AES-256 with group 5 and SHA1

In this case we are also enabling PFS with group 5. Enter the details as above and move onto the advanced tab:


Sonicwall VPN advanced tab


Here we only need enter a tick in keep alive and enable Windows Networking (NetBIOS) broadcast boxes, everything else can remain as it is.

We can now complete the VPN settings and return to the VPN setting page and turn our attention to the DrayTek end of the VPN.


Setting the DrayTek Vigor 3900 VPN Endpoint


Log into your DrayTek webpage and proceed down to the VPN IPSec Profiles page and click Add to create a new profile:


DrayTek to Sonicwall IPSec VPN Set-up


Enter your details as above and make sure that the local IP subnet are those behind the DrayTek router and not the Sonicwall.

In the above example the Remote Host entry is set to but this must be set to the WAN IP address of the Sonicwall


The Remote IP / Subnet Mask is the local LAN subnet behind the Sonicwall to which you wish to gain access from the DrayTek LAN.

The IKEv2 option is chosen and PSK (PreSharedKey) is chosen to match the entries we made on the Sonicwall. Here you must exter exactly the key which was entered into the Sonicwall pre shared key box.

The security protocol is left set as ESP

Now we move onto the Adcanced tab:


DrayTek-Sonicwall IPSec VPN Advanced Tab


Some of the above is left as the default as we chose the settings on the Sonicwall to match - the timeouts are still the same for instance.

We are selecting Perfect Forward Secrecy and Dead Peer Detection and allowing NetBIOS traffic onece more.

We now need to configure the Proposals tab:


DrayTek-Sonicwall IPSec VPN Proposals


We are once again selecting AES256 Group 5 as our proposals and allowing ALL and Accept All as the Sonicwall will only be offering SHA1 anyway.

We now complete the IPSec VPN by clicking apply/OK and return to the VPN configuration page:



DrayTek VPN Profiles


We can see there is some activity from the status above but if we continue to the conncetion status page as below:


DrayTek-Sonicwall IPSec VPN is Up


we can now clearly see that the DrayTek Vigor 3900 believes the VPN to be active and if we check the Sonicwall:


Sonicwall-DrayTek IPSec VPN is Up


Cisco RVS4000 DrayTek Vigor 3900 VPN IPSec

Cisco RVS4000 DrayTek Vigor 3900 VPN IPSec

In this example we are going to fashion a VPN from a Cisco RVS 4000 VPN router sitting behind a home ISP router/firewall just to show that VPN for your home users isn't difficult to set-up, even if you are segregating part of their network for just their work hosts, such as a desktop and printer.

The Cisco RVS 4000 VPN SoHO Router

Cisco RVS 4000

After a full reset the Cisco will have the IP range and as this will very likely be the subnet your workers will have at home it is best to choose something else. In my example here I am just sticking with because the network I am plugging into has a different range but you get the idea.

To start with We are going to configure the Cisco before the users take it away.

As I said I am starting with a fully reset router - you will obviosuly want to adjust the password and rig up any remote administrative features beforehand in case the VPN does not come up straght away.

Now we move on to configure the VPN.

Go to the VPN Ipsec page of the router and enter the relevant details:


Cisco RVS 4000 IPSec settings


In the above we are configuring the VPN as an IP only gateway only as this will allow the VPN to connect easily from the home environment.

The enabled option has been chosen and the destination office chosen as a name for the VPN

Local security type is Subnet and the IP address is the IP address of the Cisco router LAN port

In this case the internal network of the Cisco RVS 4000 will be but in your case it may well be best to choose an alternative as mentioned earlier.

The subnet mask is a class C of as normal on a home network.

Next we are configuring the remote network behind the DrayTek Vigor 3900, the gateway is the externalk WAN IP address associated with the VPN you are connecting to.

The IP address and subnet mask are the internal network for the DrayTek router, in this case another Class C network.

We move down the page...


Cisco RVS 4000 IPSec settings


We are choosing IKE with preshared key

We select 3DES encryption for phase 1 as this is the best that the Cisco will do but if youa re using a later model, feel free to select AES256 if you have it.

Phase 1 authentication is being set to SHA1

We select Group 5 1536-bit authentication and leave the key lifetime at 28800 as this is also the DrayTek default

Phase 2 we set as 3DES, SHA1, enable PFS and enter the preshared key. The authentication has been left at Group 1 768-bit 

We move down to the 'advanced' settings:


Cisco RVS 4000 IPSec settings


We are stting NETBIOS broadcast as on just to keep the machine naming up-to-date on each network for Windows machines. 


Now we move onto the DrayTek Vigor 3900.

Once logged into the device, we are setting a new IPSec profile under VPN and Remote Access > IPSec Profiles

Choose to create a new profile and you are presented with the new IPSec profile dialogue:


DrayTek Vigor 3900 IPSec Profile


We tick the Enable box at the top to enable the profile.

We can leave the first two boxes as we are receiving only and expecting a router rather than a user.

In this case the DrayTek is expecting the VPN at the IP address associated with WAN1 so we leave that.

The local IP Address/Subnet mask are the same as those we set as the remote network details on the Cisco and represent the internal network we are granting access to the Cisco router network.

The Local Next Hop and Remote Host can remain as they are as the home user network will almost certainly have a dynamically assigned IP address.

The IKE protocol and Phase 1 settings can reamin as defaults

Auth Type is set to PSK - Pre Shared Key and enter the same key as you entered into the Cisco earlier.

The security protocol is set as ESP


Now we moved onto the second page:


DrayTek Vigor 3900 IPSec VPN Advanced


We are leaving the Pahse 1 & 2 lifetimes as they are as they already match the Cisco - you should update these to be the same as yoru Cisco settings if you chose other than default periods.

Perfect Forward Secrecy (PFS) is on

All the other settings can remain as they are, except that once again we are setting NetBIOS naming packet as on.

Apply and save the changes.

Now looking back at the Cisco, we click the conncet button under VPN status to connect:


Cisco RVS 400 IPSec VPN Status


We can see from the above a network VPN has been established.

And from the machine we are using, we can ping the remote 192.168.x.0 network...

Separating public WiFi from your terrestrial LAN with a DrayTek Router and Netgear Switch

Separating public WiFi from your terrestrial LAN with a DrayTek Router and Netgear Switch

In this example we are going to use an older Netgear switch as it is the one in place but this method will work equally as well for the GS752 or XS series, although the interface has been updated somewhat.

Fist of all it is important to not that the default DrayTek setup for ports is an untagged VLAN ID 10 and for Netgear it is a default untagged VLAN of ID 1

What this means is that by default, all the ports on the Netgear assume they are in VLAN1 if the data traffic packets are not 'tagged' with a number. So if you plug in your DrayTek AP910 and use the default VLAN of 10 then your WLAN will not reach your router. In this case we are not going to change any untagged port settings as we are onyl making a single 'tagged' VLAN so there will be no confusion. The important thing to note here is that each port can only have a single VLAN for 'untagged' becuase if there is no tag (no label to tell the device which VLAN to send the traffic to) then there can only be one default failback choice. There can only be one default for anything after all.

So bearing that in mind we are going to take the following action:

  1. We will make a VLAN on the DrayTek 3900 called sirclesPUB VLAN ID: 3
  2. To this VLAN we will tag the LAN port connected to the Netgear switch so that th e traffic labelled with VLAN ID:3 knows it should go to the Netgear switch.
  3. We will make a subnet associated with this LAN on the DrayTek with a different subnet to our usual network
  4. We will use the inbuilt DHCP server onm the DrayTek and assign the ISPs DNS servers to the DHCP clients as they will not have access to the local Microsoft AD/DNS
  5. We will make an associated VLAN on the Netgear with VLAN ID: 3
  6. We will tag the ports connected to the DrayTek 3900 and the DrayTek AP-910 with this VLAN ID so tha the traffic know where to be routed
  7. We will associate the public WLAN with the VLAN ID so that the traffic that is tagged by the WLAN as VLAN ID: 3 remains separate and can be routed straight back to the router without interraction with the untagged default private LAN.


So let's get started, we login to the DrayTek 3900 and open up the LAN > General Set-up section.


Click Add to add a new LAN Profile, in this example we will use a Class B Subnet of


DrayTek Vigor 3900 add LAN


The VLAN ID is set to 3

Our mode is NAT

Our touer IP will be

We are choosing a /16 subnet

We enable DHCP server

We have chosen a huge range in this case but the WLAN is restricted to 64 clients at once by the defaul of the AP-910

We add the ISP DNS server addresses

Everything else can be left at default in this example as it is only a public Wi-Fi

Click Apply


In our example we see that the LAN has been successfully created:


DrayTek Vigor 3900 new LAN set-up


Now we move on to LAN > Switch section:

Under the 801.1Q VLAN section we click the Add button to add the new VLAN:


DrayTek Vigor 3900 new VLAN


We are making the SFP (fibre module) the tagged member in this case (DrayTek just call it a member rather than tagged) and we do not touch the untagged settings as we could lock ourselves out of the router if we do! In this set-up the DrayTek connects to the Netgear via SFP but you may well be selecting LAN_Port_1 in your example.

Click Apply to create the VLAN.

Now we have a separate network on a separate IP range with a tagged VLAN ID of 3, we must tell the Netgear switch to expect this tagged information on certain data packets and tell it what to do with them.


Open up the Netgear interface on your switch by browsing to the IP address.

Open up switching > VLAN

Create a new VLAN: 

Netgear GS748 add VLAN


We have given it a name to show what it is for but the name is just a label and only the VLAN ID: 3 is important


We now go to the member ship of the VLAN to choose the ports under Advanced:


Netgear GS748 VLAN Advanced


We choose the VLAN ID at the top to be our chosen new VLAN ID of 3

in this case the switch is describing itself as unit 1 and so we click the text to reveal all the ports:


Netgear GS748 VLAN Membership

We are tagging the ports and so they need to be populated with a T for Tagged

Port 5 is where our DrayTek AP910 is plugges in (there must be no other switches in between or you will have to configure them for the VLAN also)

Port 45 is our SFP for the fibre

Now we click Apply and we are ready to configure our public Wi-Fi:

I am using the central AP management feature of the DrayTek 3900 and so I browse to the WLAN profiles and select the SSID of the public network:


DrayTek central AP management public Wifi VLAN


As you can see we have set the VLAN ID to be 3 and the security as Disabled


Using a mobile device I connect to sirclesPub wifi:


 Public Wi-Fi Mobile IP Address confirmation


As we can see under the information section in the Wi-Fi settings  the system has been assigned the correct IP range and cannot communicate with the private LAN.

Spam Warning: Automated Intuit Notification

Spam Warning: Automated Intuit  Notification


This email has been spotted this week:




From:                                                       Intuit Inc. <>

Sent:                                                         Tuesday, July 17, 2018 3:28 PM

To:                                                            Recipient

Subject:                                                   Automated Intuit  Notification



Stop waiting weeks for checks to arrive.


Intuit QuickBooks


Dear customer,

 This message has been sent to you by Intuit Inc. Make sure you click on the web link listed below to view Invoice details.

Your Invoice ID: INV15725381 has been settled and available below.

See your receipt

We appreciate your business with us and thank you for working with Intuit.


Need help?.

Call 800-267-3519

Talk to a Pro






Download the QuickBooks App for iOS on the App store

Get the QuickBooks App for Android on Google Play





Intuit and ProConnect are brand marks of Intuit.

Terms and conditions, pricing and service options are subject to change without the need of notification.

Personal privacy.

2008-2018 Intuit Services Inc..  All rights reserved..
1600 W. Commerce Center Place, Tucson, AZ 85506


TrustE Verified


The originating email is obviously wrong -


The 'See you receipt' link takes you to:


Which is obviously not an Intuit Quickbooks link, they have not bothered with a certificate or any other measures to fein authenticity.


The offending website has already been removed so no immediate danger.


Most of the Intuit company links are as they would have been originally.

Spam Warning: Apple Alert Regarding Your Recent Purchase

Spam Warning: Apple Alert Regarding Your Recent Purchase


This email has been seen by a number of people this week - it is not a particularly convincing one, but it deserves to be mentioned in case it may cauase any damage...

The email appears as:




From:                                                       Apple Inc <>

Sent:                                                         Thursday, July 12, 2018 7:22 PM

To:                                                            Recipient

Subject:                                                   Apple Alert Regarding Your Recent Purchase









Recent Order





Your Apple ID was just used to purchase from Apple Online store on a device that hadn't previously been related with your ID. You may be getting this e-mail if you reset your password since your previous order.
If you placed this order, you can disregard this e mail. It was only sent notify to you in case you didn't make the purchase yourself.

See Details Here

In case you did not make this purchase, we highly recommend that you go to  to modify your security password, then see Apple ID: Security and your Apple ID for additional assistance

All the best,
Apple Team








Apple ID Summary     Terms of Sale     Privacy Policy




Copyright 2018 Apple Inc.,




The email addres obviously doesn't stack as it is from and not Apple and the link described as see details here is pointing to which again isn't a very convincing domain as it doesn't even have Apple in it.

If you do click the link you are taken to a non-existant website and so the email can do no harm:

No such site

Either way this email shoudl be marked as spam and the address marked as a spam source.

The has no SPF record: 

No SPF for domain


and so this may well be why it was chosen. SPF (Sender Policy Framework) is a simple way of informing other email servers of which IP addresses your emails are likely to originate from and not having one means that poeple are more likely to spoof your address as we see in this case.

At sircles we would always advise having a full SPF and DKIM/DMARC set of records to stop spammers impersonating you.

Spam Warning: OnlineInvoices Automated Service Notice

Spam Warning: OnlineInvoices Automated Service Notice


This email has been seen both this week and last week, and is obviously a phishing attack.

The email itself looks fairly harmless,but there is a real company by this name that sends out invoices and so customers could easily be duped.

 OnlineInvoices Spam


The HTML version is as follows:




From:                                                       OnlineInvoices Inc All Rights Reserved. <>

Sent:                                                         Thursday, June 28, 2018 7:15 PM

To:                                                            Receipent

Subject:                                                   OnlineInvoices Automated Service Notice




Online Invoices


Invoice Notice





The following payment notification is sent to you by OnlineInvoices Inc from Alliance One. Please click the link below to see an invoice







2012-2018 OnlineInvoices. All rights reserved
Izam Inc. , 2851 Centerville Ave., Suite 300, Wilmington, DE 19805





Now the link 'See Invoice' actually points to: which is sort of dangerous as the original company was started by Izzam group which sort of resembles this link, but if you are being careful you will notice that this link is bogus before proceeding too much further.

We can also see that the originating email address is: which is obviously incorrect.

If we attempt to visit the site, we can see that it has already been shut down: site shut down


And so no longer poses a threrat.

Please do report these emails as spam as well as this site if you get the chance.

You can see how here:


Spam Warning - New Order.11405
Spam Warning - New Order.11405 We have been seeing this email today which does have quite a good fake Office 365 document download page. There is a spate of these emails now that are just trying to get your Office365 password - you will never have to type your Office365 password in to another site - in fact your browser will usually remember your password for the correct sites ans so you should never have to type it in again at all. If you have typed your Office365 password into a site to recover a document that turned out to be missing, you should log into and change your password now.
The Fitness Finder App - GTme - Find your Fitness Freedom
Find your fitness freedom with GTme No contracts or subscriptions Register on the app Find the class you wish to attend on the app map Reserve your place in the class Pay for your exercise session Go along!