DrayTek Vigor routers can create securely encrypted VPN links between networks across the Internet.
This guide demonstrates how to configure an IPsec VPN tunnel between two locations, with two scenarios:
Two Sites with Static Public IP addresses |
In this scenario, use Main mode. See below for more details. |
One Site with a Static Public IP addressOne Site behind NAT or using a Dynamic Public IP address |
In these scenarios, Aggressive mode can be used to link two sites using IPsec. Otherwise, try using an SSL VPN |
An IPsec VPN connection between two DrayTek routers is possible using either Main mode or Aggressive mode:
This uses the Pre-shared key and the IP Addresses of each side to authenticate the VPN connection, this requires a fixed IP on both sides of the VPN connection unless a global PSK is used. Using a global PSK for VPN is not covered in this article. |
|
This uses the Pre-shared key and a Peer ID to authenticate the VPN connection, this can be used where either side of the VPN are using a dynamic IP address. |
There are several encryption types that can be used for the VPN, it can be configured to use these security methods:
Medium (AH) |
This is an unencrypted tunnel type that uses MD5 or SHA1 to authenticate and ensure that the packets being received / sent through the VPN are genuine and not tampered with. |
High (ESP) |
This has three encryption types to secure traffic (DES, 3DES, AES) and allows Authentication (MD5 or SHA1) to be enabled or disabled. |
This example shows the setup of an IPsec Main Mode VPN connection between the London router which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection, these are the details of the two networks:
|
London |
Liverpool |
LAN Address |
192.168.1.0 |
10.1.1.0 |
LAN Subnet Mask |
255.255.255.0 |
255.255.255.0 |
Router's Address |
192.168.1.1 |
10.1.1.1 |
Public IP Address |
203.0.113.2 |
198.51.100.17 |
VPN Profile Name |
Liverpool |
London |
Call Direction |
Incoming |
Outgoing |
Protocols |
IPsec only |
IPsec only |
Pre-Shared Key |
xf1YMWdu06VWbG3 |
xf1YMWdu06VWbG3 |
This needs to be configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router.
Step 1 - Create a new VPN Profile
Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
Configure the Common Settings
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.
Dial-Out Settings can be left as they are, this router is accepting incoming VPNs and not dialing out itself.
Step 2 - Configure Dial-In VPN Settings
Configure the Dial-In Settings of the VPN profile:
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN need to be configured, those are under TCP/IP Network Settings:
Click OK on that VPN profile to save and apply it.
This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router.
Step 1 - Create a new VPN Profile
As with the first router, go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.
Step 2 - Configure Dial-Out VPN Settings
Configure the Dial-Out Settings of the VPN tunnel:
Dial-In Settings can be left as they are.
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN then need to be configured under TCP/IP Network Settings:
Click OK on that VPN profile to save and apply it.
Once both sides of the VPN have been configured, if all the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] – [Connection Management], which will show the VPN listed in the status window:
This example shows the setup of an IPsec Aggressive Mode VPN connection between the London router which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection, these are the details of the two networks. Because an Aggressive mode VPN uses a separate identifier, this needs to be configured as the Local / Peer ID in the VPN settings, this example will use “Liverpoolrouter” as that ID but it can be set to any text, even an email address, it has no significance outside of identifying the client connecting.
|
London |
Liverpool |
LAN Address |
192.168.1.0 |
10.1.1.0 |
LAN Subnet Mask |
255.255.255.0 |
255.255.255.0 |
Router's Address |
192.168.1.1 |
10.1.1.1 |
Public IP Address |
203.0.113.2 |
Dynamic |
VPN Profile Name |
Liverpool |
London |
Call Direction |
Incoming |
Outgoing |
Protocols |
IPsec only |
IPsec only |
Pre-Shared Key |
xf1YMWdu06VWbG3 |
xf1YMWdu06VWbG3 |
Local ID |
n/a |
Liverpoolrouter |
This needs to be configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router.
Step 1 - Create a new VPN Profile
Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.
Dial-Out Settings can be left as they are, this router is accepting incoming VPNs and not dialing out itself.
Step 2 - Configure Dial-In VPN Settings
Configure the Dial-In Settings of the VPN profile:
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN need to be configured, those are under TCP/IP Network Settings:
Click OK on the VPN profile to save and apply it.
This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router.
Step 1 - Create a new VPN Profile
Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.
Step 2 - Configure Dial-Out VPN Settings
Configure the Dial-Out Settings of the VPN tunnel:
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN then need to be configured under TCP/IP Network Settings:
Click OK on the VPN profile to save and apply it.
Once both sides of the VPN have been configured, if all the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] – [Connection Management], which will show the VPN listed in the status window: