Knowledge Base  >   VPN  > 

IPsec Tunnel between two DrayTek Routers using the same IP subnet

This article shows how to configure LAN-to-LAN VPN between two Vigor Routers which use the same local IP range. The problem of building VPN tunnels to another router that uses the same IP range is that there will be two routes to the same IP subnet that conflicts with each other. If neither of them can change the IP subnet, the solution is to translate the local IP to an unused range for the VPN connection. Below describes how to do that on Vigor Routers.

The Configuration of Router A (VPN Server)

1. Go to VPN and Remote Access >> LAN to LAN to create a VPN profile as follows: In Common Settings:

  1. Check Enable this profile.
  2. Select Dial-In for Call Direction

2. In Dial-In Settings:

  1. Select only IPsec Tunnel for Allowed Dial-in Type
  2. Select Specify Remote VPN Gateway then input some strings for Peer ID
  3. Click IKE Pre-Shared Key then input the Pre-Shared Key   

3. In TCP/IP Network Settings:

  • Enable Translate Local Network
  • Select LAN1
  • Enter in the Translated IP
  • Enter in the Local/Remote Network IP and subnet Mask
The Configuration of Router B (VPN Client)

1. Add a profile at VPN and Remote Access >> LAN to LAN as follows: In Common Settings:

  1. Check Enable this profile
  2. Select Dial-Out for Call Direction
  3. Select the WAN interface where Router A is on for VPN Dial-Out Through   

2. Configure Dial-Out Settings:

  1. Select "IPsec Tunnel" for Type of Server I am calling
  2. Input Server IP as the WAN IP address of Router A
  3. Click IKE Pre-Shared Key then input the same key as what was configured on Router A
  4. Select High(ESP) for IPsec Security Method, and click Advanced
  5. Select "Aggressive mode"
  6. Input Local ID as same as the Peer ID on Router A 

3. Configure TCP/IP Network Settings:

  • Enable Translate Local Network
  • Select LAN1
  • Enter in the Translated IP
  • Enter in the Local/Remote Network IP and subnet Mask

4. After the configurations, Network Administrator may check the VPN Status via VPN and Remote Access >> Connection Management.

5. To reach a host behind Router A, a host behind Router B can use the IP address in subnet 192.168.129.0/255.255.255.0.

The Configuration of Router A (VPN Server)

1. Enable IPsec VPN service.

2. Create an IPsec Site to Site VPN profile.

  • Enter a Profile Name
  • Toggle Enable
  • Select Dial-In as Direction
  • Select IKEv1/v2 as IPsec Dial-In Protocol
  • Enable Specify VPN Peer; Enter the Remote IP or leave it empty if the Peer Router’s IP is dynamic
  • Enter the Pre-Shared Key
  • Enter the Peer ID under IKE identifier
  • Note: Enabling Specify VPN Peer and configuring the Peer ID allows the router to authenticate the IKEv2 VPN client using the Pre-Shared key defined in this VPN profile.
  • Enter Local Network and the Remote Network. Note: The Remote Network refers to the translated network defined on the peer router.
  • Toggole Translate Local Network
  • Enter the Translated Network
  • Apply the settings.
    • The Configuration of Router B (VPN Client)

    1. Enable IPsec VPN service.

    2. Navigate to VPN / Site to Site VPN. Click +Add to create an IPsec Site to Site VPN profile.

  • Enter a Profile Name
  • Toggle Enable
  • Select Dial-Out for Direction
  • Select IPsec as VPN Type
  • Select IKEv2 as IPsec Dial-Out Protocol
  • Enter VPN Server’s IP or Domain Name as Remote IP/ Domain Name
  • Choose Always On as the Dial-Out Mode
  • Enter the Pre-Shared Key
  • Enter the Local ID under IKE identifier
  • Enter Local Network and the Remote Network. Note: The Remote Network refers to the translated network defined on the peer router.
  • Toggle Translate Local Network
  • Enter the Translated Network
  • Apply the settings.
    • Verify the VPN Connection

    1. Navigate to VPN / VPN Connection Status to check if the VPN is up.

    2. Use Ping to verify connectivity to the remote VPN network.

    Note: The peer’s IP address is translated. Please use the translated IP address to access the remote network.

    The Configuration of Router A (VPN Server)

    1. Go to VPN and Remote Access >> VPN Profile >> IPsec add a profile as follows:

    1. In the Basic tab, enter a Profile name and check Enable
    2. Enter Local IP /Subnet Mask as the LAN network on Router A.
    3. Enter the WAN IP of Router B for Remote Host
    4. Enter the translated LAN IP of Router B at Remote IP/ Subnet Mask
    5. Enter Pre-Shared Key   
    a screenshot of Vigor3900 IPsec VPN setup

    2. In the Advanced tab, enable Apply NAT Policy, and enter a un-used IP range for Translated Local Network. Then, click Apply to save the profile.

    a screenshot of Vigor3900 IPsec VPN setup
    The Configuration of Router B (VPN Client)

    3. Similarly, go to VPN and Remote Access >> VPN Profile >> IPsec and add a profile as follows:

    1. In the Basic tab, enter a Profile name and check Enable
    2. Enter Local IP /Subnet Mask as the LAN network of Router B
    3. Enter the WAN IP of Router A in Remote Host
    4. Enter the translated LAN IP of Router A at Remote IP/ Subnet Mask
    5. Enter Pre-Shared Key as the same key in Router A's VPN profile.
    a screenshot of Vigor3900 IPsec VPN setup

    4. In the Advanced tab, enable Apply NAT Policy, and give it a Translated Local Network which is different from that of Router A. Then, click Apply to save the profile.

    a screenshot of Vigor3900 IPsec VPN setup

    5. To initiate the VPN, go to VPN and Remote Access >> Connection Management, select the Profile created and click Connect.

    a screenshot of Vigor3900 IPsec VPN setup

    6. If all the settings are matched, the VPN connection will be established. In connection status, we will see the virtual network is the translated IP address.

    a screenshot of Vigor3900 IPsec VPN setup

    7. And now we can access the remote network by the translated IP address.

    a screenshot of Vigor3900 IPsec VPN setup

    Published On:2026-04-10 

    Share

    Was this helpful?   

    book icon

    Knowledge Base