With a site-to-site VPN connection, one site actively establishes the VPN connection (initiator) while the opposite site accepts the connection (responder).

It is also possible for both sites to be able to actively establish a VPN connection. However, this generally leads to problems because connection requests at the same time in both directions will fail.

This document describes how you can prevent both sides of a VPN connection from simultaneously trying to actively establish a connection.



In this example, a site-to-site VPN connection should always be established from the branch office to the headquarters.


1) Make sure that the VPN connection configuration at the responder site page does not include a public IP address or DNS name of the initiator site.

1.1) Open the configuration of the LANCOM router that is the VPN responder (in this example the router at the headquarters).

1.2) Switch to the menu

1.3) Open the entry for the VPN connection in the list.

1.4) Make sure that the short hold time is set to “0” and the remote “Gateway” field is left empty.

2) On the router that is the VPN responder (in this example the router at the headquarters), create a firewall rule, which prohibits sending IP packets to the remote VPN site as long as no VPN connection is established.

2.1) Open the configuration of the LANCOM router that responds to the VPN connection.

2.2) Navigate to the menu Firewall/QoS → IPv4 rules → Action objects.

2.3) Add a new action object.

2.4) Give the new object a name and, on the Actions tab,  click Add.

2.5) Click on OK to save the action object and switch to the menu Firewall/QoS → IPv4 rules → Rules.

2.6) Create a new Firewall rule:

On the Stations tab, set the Connection source to all stations and the Connection destination as the VPN connection (remote site) to the branch office.

2.7) Save the firewall rule and make sure it is always at the top of the list.

2.8) Write the configuration back to the LANCOM router.