DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

MULTIPLE VPN's

  • mike_cyd
  • Topic Author
  • Offline
  • New Member
  • New Member
More
28 Oct 2009 13:29 #58517 by mike_cyd
MULTIPLE VPN's was created by mike_cyd
I have a Vigor 2820 and need some advice on configuring multiple VPN's.

Our Vigor 2820 is connected to a SDSL circuit using a static IP adress. We already have a VPN link to a remote site that is working fine. This has been configured under "Lan to Lan" using IPSec tunnel and pre-shared key and operates through the WAN1.

I am now trying to configure a 2nd VPN to a call centre so have been provided with configuration detail including their remote IP, the shared key, and encrypting method. I have configured a profile with this information but we are unable to get this 2nd VPN connected.

I have noted that under "VPN and Remote Access" on the menu there is a "IPSec General Setup". From memory this was configured with the shared key for our current VPN link. Will this shared key apply to the 2nd VPN profile I am creating (ie. is this a general setup for all VPN profiles).

I also wanted to check that I can use the same IP address that our exisiting VPN is using for this 2nd one I am trying to create (this is our static IP addreess that I provide the remote site when they connect to us).

Comments welcome and thanks in advance.

Please Log in or Create an account to join the conversation.

More
28 Oct 2009 14:31 #58518 by njh
Replied by njh on topic MULTIPLE VPN's
Based on my 2900 and 2600 (where the UI is a bit different from yours), the PSK in IPSec General Setup is only for VPN's attempting to connect to you where you have not specified a Peer VPN Server IP in the LAN-LAN profile setup. It is not used for connections where you dial out. If you are dialling out, the PSK goes in the Dial-Out Settings in the LAN-LAN profile.

You can use your WAN IP for multiple VPN's.

Without revealing the PSK and munging the IP's, can you post the settings you have been given by the call centre and the settings you are trying to use in the 2820?

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

  • mike_cyd
  • Topic Author
  • Offline
  • New Member
  • New Member
More
28 Oct 2009 15:20 #58519 by mike_cyd
Replied by mike_cyd on topic MULTIPLE VPN's
Thanks for your response, its much appreciated

Configuration information I was sent is as follows:

IPSec Security Protocol = ESP
Phase-I Authentication Method = 1 Pre-shared Key
Phase -I Encryption Algorithm = DES
Phase-I Message Integrity Algo = MD5-HMAC
Phase II- Encryption Algorithm = DES
Phase- II Message Integrity Algo = MD5-HMAC
IP Compression Algorithm = None
Security Association Lifetime = 86400 sec
PFS(Perfect Forward Secrecy) = No
DH Group = Group 2
VPN Mode = Tunnel

I have configured my VPN Lan to Lan Profile as follows:

Common Settings
Profile – Profile name has been assigned and “enable” tick box selected
VPN Dial-Out Through - WAN1 (first) selected
Netbios naming packet = Pass (block is other option)
Call direction – “both” has been selected

Dial-Out settings
Type of server I am calling - IPSec Tunnel has been selected
Server IP/Host name: Remote IP address has been entered
IKE Authentication method – Pre shared key has been selected and i have entered the key.
IPSec Security Method – Medium (AH) has been selected
IP Sec Security Method “Advanced button”:
IKE Phase 1 mode = Main Mode
Phase 1 proposal = DES_MD5_G2
Phase 2 proposal = HMAC_SHA1/HMAC_MD5
Phase 1 and 2 lifetime set to 86400
Perfect forward secret = Disabled

Dial-In settings
This is set to IPSec Tunnel and all areas are grayed out.

TCP/IP Network settings
I’ve entered the remote IP and subnet mask I was provided
RIP Direction is set to disable

Please Log in or Create an account to join the conversation.

More
28 Oct 2009 15:50 #58520 by njh
Replied by njh on topic MULTIPLE VPN's
There is one issue I can see. You have set your IPSec security method to AH, but he is using ESP. Can you try changing? He has not said if he is using Authentication, so you'll just have to try with and without. You'll also have to look at your advanced options again once you make the change to ESP.

Unless you have given him your details, set the Call Direction to Dial Out. It is probably worth trying this anyway.

In the Remote Network IP setting, if you have a Remote Network <ask of 255.255.255.0, the remote network should end in .0.

FWIW, your call centre's security is pretty lax. I believe DES is readily crackable these days so 3DES should be a minimum security level. PFS should also be used if possible. At least he is using ESP and not AH!

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami