DrayTek LAN-to-LAN IPsec VPN Configuration Guide

DrayTek Vigor routers can create securely encrypted VPN links between networks across the Internet.

This guide demonstrates how to configure an IPsec VPN tunnel between two locations, with two scenarios:

Two Sites with Static Public IP addresses
In this scenario, use Main mode. See below for more details.
One Site with a Static Public IP address
One Site behind NAT or using a Dynamic Public IP address
In these scenarios, Aggressive mode can be used to link two sites using IPsec.
Otherwise, try using an SSL VPN

LANtoLAN Example

An IPsec VPN connection between two DrayTek routers is possible using either Main mode or Aggressive mode:

Main mode

This uses the Pre-shared key and the IP Addresses of each side to authenticate the VPN connection, this requires a fixed IP on both sides of the VPN connection unless a global PSK is used. Using a global PSK for VPN is not covered in this article.

Aggressive mode

This uses the Pre-shared key and a Peer ID to authenticate the VPN connection, this can be used where either side of the VPN are using a dynamic IP address.

There are several encryption types that can be used for the VPN, it can be configured to use these security methods:

Medium (AH)

This is an unencrypted tunnel type that uses MD5 or SHA1 to authenticate and ensure that the packets being received / sent through the VPN are genuine and not tampered with.

High (ESP)

This has three encryption types to secure traffic (DES, 3DES, AES) and allows Authentication (MD5 or SHA1) to be enabled or disabled.

Before setting up VPN

Ensure the IPsec VPN Service is enabled by clicking on [VPN and Remote Access] – [Remote Access Control] and checking Enable IPsec VPN Service.

It is always best to uncheck any service not in use to harden security of the router.

LANtoLAN EnableIPSec

Click OK to confirm.

LAN to LAN VPN IPsec Using Main Mode

This example shows the setup of an IPsec Main Mode VPN connection between the London router which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection, these are the details of the two networks:

 

London

Liverpool

LAN Address

192.168.1.0

10.1.1.0

LAN Subnet Mask

255.255.255.0

255.255.255.0

Router's Address

192.168.1.1

10.1.1.1

Public IP Address

203.0.113.2

198.51.100.17

VPN Profile Name

Liverpool

London

Call Direction

Incoming

Outgoing

Protocols

IPsec only

IPsec only

Pre-Shared Key

xf1YMWdu06VWbG3

xf1YMWdu06VWbG3

Dial In VPN - London Router

This needs to be configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router.

Step 1 - Create a new VPN Profile

Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.

LANtoLAN Profile1

Configure the Common Settings

LANtoLAN CommonSettingsDialIn

On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.

Dial-Out Settings can be left as they are, this router is accepting incoming VPNs and not dialing out itself.

Step 2 - Configure Dial-In VPN Settings

Configure the Dial-In Settings of the VPN profile:

LANtoLan DialInsettings

  1. Set the Allowed Dial-In Type to IPsec Tunnel
  2. Tick the Specify Remote VPN Gateway option and enter the Peer VPN Server IP as the Public IP address of the remote router (Liverpool is 198.51.100.17 in this example)
  3. Leave the Username and Password fields blank
  4. Tick the Pre-Shared Key option and click the IPsec Pre-Shared Key button, this will pop-up a window where the Pre-Shared key needs to be entered twice to confirm that the key is correct, click OK on that window to close it. The Pre-Shared Key field should then show the Pre-Shared key in starred-out form
  5. Under the IPsec Security Method section, untick any IPsec security types that aren't needed. If using AES encryption, untick DES and 3DES

Step 3 - Configure TCP/IP Network Settings

The IP address details for the VPN need to be configured, those are under TCP/IP Network Settings:

LANtoLAN DialInNetworkSettings

  1. The My WAN IP and Remote Gateway IP fields should be left blank
  2. Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
  3. Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on that VPN profile to save and apply it.

Dial-Out VPN – Liverpool Router

This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router.

Step 1 - Create a new VPN Profile

As with the first router, go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.

LANtoLAN Profile1

On that page, configure the Common Settings like so:

LANtoLAN CommonSettingsDialOut

On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.

Step 2 - Configure Dial-Out VPN Settings

Configure the Dial-Out Settings of the VPN tunnel:

LANtoLAN DialOutSettings

  1. Set the Type of VPN to IPsec Tunnel
  2. Set the Server IP/Host Name for VPN to the Public IP address of the VPN server, in this example, London is 203.0.113.12
  3. Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
  4. Set the IPsec Security Method to High(ESP) and select AES with Authentication from the drop-down list

Dial-In Settings can be left as they are.

Step 3 - Configure TCP/IP Network Settings

The IP address details for the VPN then need to be configured under TCP/IP Network Settings:

LANtoLan DialOutNetworkSettings

  1. The My WAN IP and Remote Gateway IP fields should be left blank
  2. Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
  3. Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on that VPN profile to save and apply it.

How to check if your VPN is working

Once both sides of the VPN have been configured, if all the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] – [Connection Management], which will show the VPN listed in the status window:

LANtoLAN ConnectionManagement

LAN to LAN VPN IPsec Aggressive Mode

This example shows the setup of an IPsec Aggressive Mode VPN connection between the London router which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection, these are the details of the two networks. Because an Aggressive mode VPN uses a separate identifier, this needs to be configured as the Local / Peer ID in the VPN settings, this example will use “Liverpoolrouter” as that ID but it can be set to any text, even an email address, it has no significance outside of identifying the client connecting.

 

London

Liverpool

LAN Address

192.168.1.0

10.1.1.0

LAN Subnet Mask

255.255.255.0

255.255.255.0

Router's Address

192.168.1.1

10.1.1.1

Public IP Address

203.0.113.2

Dynamic

VPN Profile Name

Liverpool

London

Call Direction

Incoming

Outgoing

Protocols

IPsec only

IPsec only

Pre-Shared Key

xf1YMWdu06VWbG3

xf1YMWdu06VWbG3

Local ID

n/a

Liverpoolrouter

Dial In VPN - London Router

This needs to be configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router.

Step 1 - Create a new VPN Profile

Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.

LANtoLAN Profile1

On that page, configure the Common Settings like so:

LANtoLANAggMode CommonSettingsDialIn

On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.

Dial-Out Settings can be left as they are, this router is accepting incoming VPNs and not dialing out itself.

Step 2 - Configure Dial-In VPN Settings

Configure the Dial-In Settings of the VPN profile:

LANtoLANAggMode DialInSettings

  1. Set the Allowed Dial-In Type to IPsec Tunnel
  2. Tick the Specify Remote VPN Gateway option and enter the Peer ID as the Local ID that will be entered on the other router once configured, in this example it uses “Liverpoolrouter” as the identifier
  3. Leave the Username and Password fields blank
  4. Tick the Pre-Shared Key option and click the IPsec Pre-Shared Key button, this will pop-up a window where the Pre-Shared key needs to be entered twice to confirm that the key is correct, click OK on that window to close it. The Pre-Shared Key field should then show the Pre-Shared key in starred-out form
  5. Under the IPsec Security Method section, untick any IPsec security types that aren't needed. If using AES encryption, untick DES and 3DES

Step 3 - Configure TCP/IP Network Settings

The IP address details for the VPN need to be configured, those are under TCP/IP Network Settings:

LANtoLANAggMode NetworkSettingsDialIn

  1. The My WAN IP and Remote Gateway IP fields should be left blank
  2. Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
  3. Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on the VPN profile to save and apply it.

Dial-Out VPN – Liverpool Router

This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router.

Step 1 - Create a new VPN Profile

Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.

LANtoLAN Profile1

On that page, configure the Common Settings like so:

LANtoLANAggMode CommonSettingsDialOut

On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.

Step 2 - Configure Dial-Out VPN Settings

Configure the Dial-Out Settings of the VPN tunnel:

LANtoLANAggMode DialOutSettings

  1. Set the Type of VPN to IPsec Tunnel
  2. Set the Server IP/Host Name for VPN to the address of the VPN server, in this example, London is 203.0.113.12
  3. Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
  4. Set the IPsec Security Method to High(ESP) and select AES with Authentication from the drop-down list
  5. Click the Advanced button to go into the Advanced settings for IPsec:

LANtoLANAggMode IKEAdvancedSettings

  1. Set the IKE phase 1 mode to Aggressive mode
  2. Set the Local ID to the ID that will be used to identify the router, in this case it will be “Liverpoolrouter” click OK to return to the VPN profile

Step 3 - Configure TCP/IP Network Settings

The IP address details for the VPN then need to be configured under TCP/IP Network Settings:

LANtoLANAggMode NetworkSettingsDialOut

  1. The My WAN IP and Remote Gateway IP fields should be left blank
  2. Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
  3. Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on the VPN profile to save and apply it.

Once both sides of the VPN have been configured, if all the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] – [Connection Management], which will show the VPN listed in the status window:

LANtoLANAggMode ConnectionManagement

LAN-to-LAN VPN Troubleshooting

Here is a list of the most common configuration mistakes made in setting up a Vigor-to-Vigor VPN connection, as well as some general advice for VPN configuration.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1