V. VPN (Virtual Private Networking)

Vigor3900 and Vigor2960 running firmware version 1.4.0 and above support IKEv2 with EAP authentication. This adds an extra layer of security to the IKEv2 VPN by the use of additional username and password authentication and certificate verification.

This article demonstrates how to create a self-signed certificate for server authentication, set up Vigor Router as an IKEv2 VPN server, and how to establish a connection from Windows using the Smart VPN Client v5.3.0 application.

Router Setup for IKEv2

1. Go to [Certificate Management] > [Trusted CA], click Build RootCA

• Enter all the information
• Select "2048" for Key Size
• Enter the Passphrase to sign the local certificate
• Click Apply to save

2. Click Download to export the Root CA, which will be installed on the VPN client.

3. Go to [Certificate Management] >[Local Certificate], click Generate:

• Select "Domain Name" for ID Type and enter the domain of router for ID Value
• Enter all the information
• Enter the domain of router for Common Name (CN)
• Select "2048" for Key Size
• Select "Enable" for Self Sign
• Enter the Passphrase of Root CA at CA Key Passphrase
• Click Apply

4. Go to User Management >> User Profile to add a user profile:

• Check Enable
• Enter Username and Password
• Select "Enable" for Xauth/EAP at PPTP/L2TP/SSL/OpenVPN Server

5. Go to VPN and Remote Access >> VPN Profiles >> IPsec to add a profile:

• Give a profile name and check Enable
• Select "Enable" for Remote Dial-In User
• Enter router's LAN network for Local IP / Subnet Mask
• Select "IKEv2" for IKE Protocol
• Select "RSA" for Auth Type and choose the certificate created in previous steps for Local Certificate.