V. VPN (Virtual Private Networking)
ExpiredTeleworker VPN - IPsec - The GreenBow VPN Client
The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.
In this example, the remote dial-in user will be connecting via The GreenBow VPN client, which is a 3rd party VPN client http://www.thegreenbow.com/, and will use the following protocols/parameters:
Protocol | IKEv1 |
Encryption Method | AES256 |
Authentication | SHA-1 |
Key Group | DH Group 14 (2048-bit) |
The GreenBow client is able to use either Main Mode or Aggressive Mode to connect:
Main Mode - This uses the router's global pre-shared key for dial-in users for all dial-in users connecting with IPsec.
Aggressive Mode - This uses a pre-shared key set per user account and the user identifies with its Peer ID setting. This is regarded as being slightly cryptographically less secure than main mode but does make it possible to manage multiple users.
Main Mode
A Remote Dial-In User VPN connection needs to have a profile configured first so that the router will allow the connection type and the pre-shared key. To configure that, go to [VPN and Remote Access] > [Remote Dial-In User] and on that page, click on the first available Index number:
That will go into the profile for that Dial-In user - because this is a Main Mode connection, the only settings needed for this connection type are enabling the account and enabling IPsec on it, the Username and Password configured will not be used for an IPsec connection:
Click OK to save the settings on that page then go to [VPN and Remote Access] > [IPsec General Setup], on that page, the Pre-Shared Key for the IPsec connection can be configured. It's also possible to select which encryption types are allowed, in this example, only AES is selected - the other encryption types would be rejected by the router:
Click OK to save the settings for and go into The GreenBow client software, go into the configuration mode by pressing Ctrl+Enter.
On that window, go to IKE V1 and click on the tunnel creation wizard:
Select "A router or a VPN gateway", then click Next:
Set the IP Address of the router and the Pre-Shared Key that was configured on the router. Set the Network Address of the router's LAN Subnet; in this case, the router's IP is 192.168.1.1 with a Subnet Mask of 255.255.255.0, so the resulting network address is 192.168.1.0. Click Next once that is set:
That will move onto the last page of the wizard, click Finish to add the connection into The GreenBow.
At this stage, the VPN should be set up sufficiently to connect, the latter images show how to configure the security settings used by The GreenBow.
In The GreenBow's configuration page, click on Ikev1Gateway and on the Authentication tab, set the security settings as shown:
Once that is set, go into Ikev1Tunnel to set the same IKE settings for the Phase 2 settings.
Also correct the Remote LAN Address and Subnet Mask if they appear to be incorrect:
Go to Configuration and select Save to save the changes to that tunnel's settings:
Go back to the connection window of The GreenBow and the newly created tunnel should show, double click on that to start the connection:
Once it has connected, it should give an indication of that in the lower right corner of the screen and show as connected in the connection window:
It should now be possible to use the VPN connection.
- First Published: 30/01/2015
- Last Updated: 22/04/2021