Fixed it by setting Local Security Gateway Type to "Dynamic IP + email address". With this setting the remote host doesn't check the incoming IP address, only the given email address. The disadvantage of this approach is that the tunnel can be initiated only from one end. Although this might work, it is a workround for the problem I have described.

Unable to access draytek router admin web page from IP address Jun 21, 2012 HITRON ROUTER AND STATIC IP - Virgin Media Community - … So the hitron will need an IP address (whether its static or dynamic) and the draytek will need one too. In this situation you wouldn't use the LAN DHCP settings on the Hitron, instead you would ask VMB for your IP Pool details and then set the WAN IP manually on the draytek to match. I think it is usually, IP 1 is for VMB, IP 2 is for your SG :: DrayTek Vigor 2820n Multi-WAN Router Jun 03, 2013

Draytek Router Passwords

How to Configure DrayTek Firewall to Restrict Incoming Feb 06, 2017

I access my Vigor 130's GUI interface on it's local IP of 192.168.2.3 and then get the statistics by typing "vdsl status" into the console. My Vigor 130 is running firmware version 3.7.8.3_m4. For those interested, my network consists of: 1 x Draytek Vigor 130 VDSL Modem 1 x Asus RT-AC66U Router 1 x Belkin Wirless N Router (F7D4402) in AP Mode

Jun 21, 2012 HITRON ROUTER AND STATIC IP - Virgin Media Community - … So the hitron will need an IP address (whether its static or dynamic) and the draytek will need one too. In this situation you wouldn't use the LAN DHCP settings on the Hitron, instead you would ask VMB for your IP Pool details and then set the WAN IP manually on the draytek to match. I think it is usually, IP 1 is for VMB, IP 2 is for your SG :: DrayTek Vigor 2820n Multi-WAN Router