How to create multiple Phase2 SA for IPsec tunnel with multiple subnets?

When connecting to a VPN server which is not a Draytek Router, Vigor router, as the LAN-to-LAN VPN client, supports negotiating IPSec SAs in IKE phase 2 to establish multiple IPSec tunnels to each subnet in one VPN profile. Please refer to the following steps and scenario.
Note that when both VPN server and VPN client are Draytek routers, we can also meet the purpose by using the "More" option, but "Create Phase2 SA for each subnet (IPSec)" is not necessary and should not be enabled.

(This setup applies to most of the models. For Vigor3900 and Vigor2960, please refer to the article here.)

   

Configurations on IPSec Client

1. Go to VPN and Remote Access >> LAN to LAN, and click Index 1 to create a new IPSec profile.

   

2. Set configurations of IPSec profile.

  1. Enter Profile name, and check Enable this profile.
  2. Choose Dail-Out.
  3. Choose IPSec Tunnel.
  4. Enter Server IP.
  5. Enter Pre-Shared Key.
  6. Enter Remote Network IP.
   

  1. Click More.
    1. Enter Network IP, and set Netmask.
    2. Click Add.
    3. Tick Create Phase2 SA for each subnet (IPSec).
   

Check VPN connectivity

Go to VPN and Remote Access >> Connection Management to check connectivity. You should see there are two IPsec tunnels established.

   
Was this article helpful?
49How to create multiple Phase2 SA for IPsec tunnel with multiple subnets? has been viewed------ 49 ------times.