DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
LAN - LAN VPN IPSEC CONFIG ?
- z3rocool
- Topic Author
- Offline
- New Member
Less
More
- Posts: 1
- Thank you received: 0
25 Jan 2010 22:56 #60048
by z3rocool
LAN - LAN VPN IPSEC CONFIG ? was created by z3rocool
Hi, I am trying to setup a LAN - LAN Ipsec VPN between at Vigor 2800 and a Vigor 2820. The 2800 was factory reset due to the admin password not being known. I have setup for internet access and SMTP to an SBS server which is all okay.
The 2820 (remote) router is setup with the same config for when the VPN worked before the 2800 was reset.
I have setup the LAN-LAN config checking on the settings in guides. I am not quite sure on the ipsec secutity methos. I have tried using different options but cannot get the routers to talk.
If I use High (ESP) and just DES box ticked, how do I set the client router to match this encryption?
I have options for DES, 3DES and AES with or without encryption.
I presume this is where my problem lies as I have double checked the other settings against guides and look to be correct.
Hope I have made a little sense, any help would be much appreciated.
Tom.
The 2820 (remote) router is setup with the same config for when the VPN worked before the 2800 was reset.
I have setup the LAN-LAN config checking on the settings in guides. I am not quite sure on the ipsec secutity methos. I have tried using different options but cannot get the routers to talk.
If I use High (ESP) and just DES box ticked, how do I set the client router to match this encryption?
I have options for DES, 3DES and AES with or without encryption.
I presume this is where my problem lies as I have double checked the other settings against guides and look to be correct.
Hope I have made a little sense, any help would be much appreciated.
Tom.
Please Log in or Create an account to join the conversation.
- njh
- Offline
- Member
Less
More
- Posts: 306
- Thank you received: 0
26 Jan 2010 13:02 #60061
by njh
2900Gi/v2.5.6; 2900/v2.5.6
Replied by njh on topic LAN - LAN VPN IPSEC CONFIG ?
Generally you should not have to bother with the encryption settings as the Vigors will negotiate the most secure option. I would suggest you disable the DES option s these days it is readily crackable.
In VPN and Remote Access >> Remote Access Control, make sure IPSec is enabled. Disable AH (medium) and DES. Assuming yu are using PSK's and not certificates, if you your remote Vigor has a dynamic IP, put your PSK here. If it has a fixed IP, put it in the LAN-LAN settings.
In LAN-LAN profile:
Common:
- Set one end to dial in, the other to dial out
- One end can have Always On checked, the other should have a timeout of 0. I cannot remember if it is the Dial In or Dial Out end which can have the always on set.
Dial Out settings for the dial out router:
- Check IPSec tunnel
- Server IP/Host Name... should be the WAN IP or FQDN of the router you are contacting.
- Preshared Key and enter it
- IPSec Security High and select something strong (3DES/AES) with authentication
- In Advanced, enable Perfect Forward Security
Dial In settings for the dial in router
- Check IPSec
- Specify Remote VPN gateway - only use this if the far router has a static WAN IP. If it does you also need to specify the PSK in the PSK section here.
- IPSec security method - disable AH and DES
TCP/IP Network Settings:
You only need to specify the far Lan range in the Remote Network Ip and Mask box. leave the other two boxes alone. You can probably turn off RIP.
Note if you have reset one of the boxes, make sure the LAN subnets are different at each end of the tunnel.
In VPN and Remote Access >> Remote Access Control, make sure IPSec is enabled. Disable AH (medium) and DES. Assuming yu are using PSK's and not certificates, if you your remote Vigor has a dynamic IP, put your PSK here. If it has a fixed IP, put it in the LAN-LAN settings.
In LAN-LAN profile:
Common:
- Set one end to dial in, the other to dial out
- One end can have Always On checked, the other should have a timeout of 0. I cannot remember if it is the Dial In or Dial Out end which can have the always on set.
Dial Out settings for the dial out router:
- Check IPSec tunnel
- Server IP/Host Name... should be the WAN IP or FQDN of the router you are contacting.
- Preshared Key and enter it
- IPSec Security High and select something strong (3DES/AES) with authentication
- In Advanced, enable Perfect Forward Security
Dial In settings for the dial in router
- Check IPSec
- Specify Remote VPN gateway - only use this if the far router has a static WAN IP. If it does you also need to specify the PSK in the PSK section here.
- IPSec security method - disable AH and DES
TCP/IP Network Settings:
You only need to specify the far Lan range in the Remote Network Ip and Mask box. leave the other two boxes alone. You can probably turn off RIP.
Note if you have reset one of the boxes, make sure the LAN subnets are different at each end of the tunnel.
2900Gi/v2.5.6; 2900/v2.5.6
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek