I've been trying to get two Draytek Vigor 2920Vn routers to connect to one another using LAN-to-LAN VPN. The setup process was largely intuitive, save one detail.

The general VPN process was pretty simple. The two routers are connected all the time, but there is still a sender (dial-out) and a receiver (dial-in). As I use this LAN-to-LAN connection to enable multiple foreign offices to connect back to headquarters, HQ is dial-in and everyone else is dial-out.
Dial-out end

  • Login to Draytek admin interface
  • Select VPN and Remote access
  • Select LAN to LAN
  • Fill out a profile (e.g. 1) with basic information (name etc.)
  • Select Dial-out, Always on, enable ping to keep alive and give it the IP of the other VPN router (dial-in)
  • Don't fill out the dial-in settings on the dial-out router, at least initially. It's worth making it work first.
  • At the bottom, leave My WAP IP and Remove Gateway IP as for the router to derive for itself.
  • For me, local and remote netmasks are
  • Local network IP is the address of this (dial-out) router
  • Remove network IP is the remove subnet, but with .0 for the last octet, so it can be remotely assigned (either statically or by DHCP).
  • Leave RIP direction as 'Disable'.
  • And crucially, set 'From first subnet to remote network, you have to do' to 'NAT'.

Dial-in end
The dial-in settings are simpler, just really a reflection of the dial-out settings.

  • On the dial-in end, I left 'From first subnet to remote network, you have to do' as 'Route'.

Initially, after setting up both ends in this way, both routers showed the VPN connection as up. However I couldn't ping from the dial-out end to the dial-in end, neither from the command line, nor from the router's PING diagnostics.

The last mental step came from this post:

In it Mr. Draytek describes changing a single setting "From first subnet to remote network, you have to do" from 'Route' to 'NAT'. That turned out to be the key.