Setting up site-to-site on DrayTek Vigor 3900

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


Configuring the tunnel on the DrayTek Management Interface

1. Open the DrayTek management interface

2. In the left panel, select VPN and Remote Access, then select VPN Profiles. Select the add to create a new profile


3. Under the Basic tab, fill in the following information:


  • Auto Dial-Out: Enable; Always Dial-Out
  • Dial-Out through: Your WAN interface; Default WAN IP
  • Failover: Should remain with the null value.
  • Local IP/Subnet Mask: Insert your FW external address and specify the correlating subnets.
  • Remote Host: The IP of your NordLayer dedicated server
  • Remote ID/Subnet Mask: The default values are and


  • IKE Protocol: IKEv1
  • IKE Phase 1: Main Mode
  • Auth Type: PSK
  • Pre-shared Key: Generate a pre-shared key (we will need this on our end as well)
  • Security Protocol: ESP

4. Fill in the following information in the Advanced section:



  • Phase 1 Key Lifetime: 28800 seconds
  • Phase 2 Key Lifetime: 3600 seconds
  • Perfect Forward Secrecy Status: Enable
  • DPD Status: Enable
  • DPD Delay: 30 seconds
  • DPD Timeout: 120 seconds
  • Ping to Keep Alive: Disable
  • Route/NAT Mode: Route
  • Source IP: Auto-detect
  • Apply NAT Policy: Disable
  • Set VPN Default Gateway: Disable
  • Netbios Naming Packet: Disable
  • Multicast via VPN: Disable
  • Rip via VPN: Disable
  • Packet Triggered: Enable
  • Force UDP Encapsulation: Disable

5. Fill in the following information in the GRE section:


  • Enable GRE Function: Disable
  • Auto Generate GRE Key: Enable

6. Fill in with the following information in the Proposal section:


  • IKE Phase 1 Proposal: AES 256
  • IKE Phase 1 Authentication: SHA1
  • IKE Phase 2 Proposal: AWS 256 with auth
  • IKE Phase 2 Authentication: SHA1
  • Accepted Proposal: Accept

7. Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply


8. If the tunnel is up, the profile will be green in the Connection Management tab:



Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top