Hello, I've recently purchased a few 2136ax routers for some additional small sites. They VPN into the main site which has a few different subnets. When I try to enter the additional subnets there is no option other than to create additional SA's for each subnet. I do not want to do this, I just want the router to be aware that these additional subnets reside at the end of this VPN connection. This has not been an issue with all the previous Vigor's I've used, where creating additional SA's was an option, not an enforcement. However, like I say, there seems to be no other option than to create additional SA's with this new model. Also just to add, if I add the additional subnets in here, then the router tries to create SA's, which will fail and drop the VPN every 30secs. When I remove the SA's, the VPN connection is stable.

Can someone help/confirm?

Screenshot of options. It's either Disabled or Multiple SA's

Does anyone know about this? Still not able to add a subnet with creating an SA on 2136ax router.

Hi  Liam,

I see your issue. No doubt DrayTek will add the option you want with enough demand, or they have other reasons for enforcing the use of it.


You could try this: as in or even ..if it lets you?

That would push the rekeying period to 24 hours or 0 hours, if it accepts 0, for the Phase2 SA.

I imagine this isn't a problem for two modern matching DrayTek routers but possibly a problem for old and new working together.

I believe that it is possible to get round this problem using Route Policies.  I will have the same issue but I am unable to test it on the 2136 for another couple of weeks, but it does appear that you can enter your extra routes as a Route Policy that steers the traffic to the specific VPN.

As I understand it, Drayos has 2 routing tables, the standard one and the Route Polices one which can add to or overriide any standard routing.

It would probably be a lot more simple to setup if draytek made the Network section on the VPN config a single list of routes with a minimum of one route and check boxes for SAs. However, as has been said above, there may be some underlying reason for the restriction. It does kind of feel like an oversight though.

I'll post something back when I've been able to check it out properly.