V. VPN (Virtual Private Networking)
ExpiredDrayTek LAN-to-LAN IPsec VPN Configuration Guide
DrayTek Vigor routers can create securely encrypted VPN links between networks across the Internet.
This guide demonstrates how to configure an IPsec VPN tunnel between two locations, with two scenarios:
Two Sites with Static Public IP addresses |
In this scenario, use Main mode. See below for more details. |
One Site with a Static Public IP addressOne Site behind NAT or using a Dynamic Public IP address |
In these scenarios, Aggressive mode can be used to link two sites using IPsec. Otherwise, try using an SSL VPN |
An IPsec VPN connection between two DrayTek routers is possible using either Main mode or Aggressive mode:
This uses the Pre-shared key and the IP Addresses of each side to authenticate the VPN connection, this requires a fixed IP on both sides of the VPN connection unless a global PSK is used. Using a global PSK for VPN is not covered in this article. |
|
This uses the Pre-shared key and a Peer ID to authenticate the VPN connection, this can be used where either side of the VPN are using a dynamic IP address. |
There are several encryption types that can be used for the VPN, it can be configured to use these security methods:
Medium (AH) |
This is an unencrypted tunnel type that uses MD5 or SHA1 to authenticate and ensure that the packets being received / sent through the VPN are genuine and not tampered with. |
High (ESP) |
This has three encryption types to secure traffic (DES, 3DES, AES) and allows Authentication (MD5 or SHA1) to be enabled or disabled. |
LAN to LAN VPN IPsec Using Main Mode
This example shows the setup of an IPsec Main Mode VPN connection between the London router which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection, these are the details of the two networks:
|
London |
Liverpool |
LAN Address |
192.168.1.0 |
10.1.1.0 |
LAN Subnet Mask |
255.255.255.0 |
255.255.255.0 |
Router's Address |
192.168.1.1 |
10.1.1.1 |
Public IP Address |
203.0.113.2 |
198.51.100.17 |
VPN Profile Name |
Liverpool |
London |
Call Direction |
Incoming |
Outgoing |
Protocols |
IPsec only |
IPsec only |
Pre-Shared Key |
xf1YMWdu06VWbG3 |
xf1YMWdu06VWbG3 |
Dial In VPN - London Router
This needs to be configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router.
Step 1 - Create a new VPN Profile
Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
Configure the Common Settings
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.
Dial-Out Settings can be left as they are, this router is accepting incoming VPNs and not dialing out itself.
Step 2 - Configure Dial-In VPN Settings
Configure the Dial-In Settings of the VPN profile:
- Set the Allowed Dial-In Type to IPsec Tunnel
- Tick the Specify Remote VPN Gateway option and enter the Peer VPN Server IP as the Public IP address of the remote router (Liverpool is 198.51.100.17 in this example)
- Leave the Username and Password fields blank
- Tick the Pre-Shared Key option and click the IPsec Pre-Shared Key button, this will pop-up a window where the Pre-Shared key needs to be entered twice to confirm that the key is correct, click OK on that window to close it. The Pre-Shared Key field should then show the Pre-Shared key in starred-out form
- Under the IPsec Security Method section, untick any IPsec security types that aren't needed. If using AES encryption, untick DES and 3DES
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN need to be configured, those are under TCP/IP Network Settings:
- The My WAN IP and Remote Gateway IP fields should be left blank
- Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
- Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel
Click OK on that VPN profile to save and apply it.
Dial-Out VPN – Liverpool Router
This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router.
Step 1 - Create a new VPN Profile
As with the first router, go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.
Step 2 - Configure Dial-Out VPN Settings
Configure the Dial-Out Settings of the VPN tunnel:
- Set the Type of VPN to IPsec Tunnel
- Set the Server IP/Host Name for VPN to the Public IP address of the VPN server, in this example, London is 203.0.113.12
- Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
- Set the IPsec Security Method to High(ESP) and select AES with Authentication from the drop-down list
Dial-In Settings can be left as they are.
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN then need to be configured under TCP/IP Network Settings:
- The My WAN IP and Remote Gateway IP fields should be left blank
- Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
- Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel
Click OK on that VPN profile to save and apply it.
How to check if your VPN is working
Once both sides of the VPN have been configured, if all the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] – [Connection Management], which will show the VPN listed in the status window:
LAN to LAN VPN IPsec Aggressive Mode
This example shows the setup of an IPsec Aggressive Mode VPN connection between the London router which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection, these are the details of the two networks. Because an Aggressive mode VPN uses a separate identifier, this needs to be configured as the Local / Peer ID in the VPN settings, this example will use “Liverpoolrouter” as that ID but it can be set to any text, even an email address, it has no significance outside of identifying the client connecting.
|
London |
Liverpool |
LAN Address |
192.168.1.0 |
10.1.1.0 |
LAN Subnet Mask |
255.255.255.0 |
255.255.255.0 |
Router's Address |
192.168.1.1 |
10.1.1.1 |
Public IP Address |
203.0.113.2 |
Dynamic |
VPN Profile Name |
Liverpool |
London |
Call Direction |
Incoming |
Outgoing |
Protocols |
IPsec only |
IPsec only |
Pre-Shared Key |
xf1YMWdu06VWbG3 |
xf1YMWdu06VWbG3 |
Local ID |
n/a |
Liverpoolrouter |
Dial In VPN - London Router
This needs to be configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router.
Step 1 - Create a new VPN Profile
Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.
Dial-Out Settings can be left as they are, this router is accepting incoming VPNs and not dialing out itself.
Step 2 - Configure Dial-In VPN Settings
Configure the Dial-In Settings of the VPN profile:
- Set the Allowed Dial-In Type to IPsec Tunnel
- Tick the Specify Remote VPN Gateway option and enter the Peer ID as the Local ID that will be entered on the other router once configured, in this example it uses “Liverpoolrouter” as the identifier
- Leave the Username and Password fields blank
- Tick the Pre-Shared Key option and click the IPsec Pre-Shared Key button, this will pop-up a window where the Pre-Shared key needs to be entered twice to confirm that the key is correct, click OK on that window to close it. The Pre-Shared Key field should then show the Pre-Shared key in starred-out form
- Under the IPsec Security Method section, untick any IPsec security types that aren't needed. If using AES encryption, untick DES and 3DES
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN need to be configured, those are under TCP/IP Network Settings:
- The My WAN IP and Remote Gateway IP fields should be left blank
- Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
- Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel
Click OK on the VPN profile to save and apply it.
Dial-Out VPN – Liverpool Router
This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router.
Step 1 - Create a new VPN Profile
Go to [VPN and Remote Access] – [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
On the left enter a profile name and click Enable this profile. On the right Call direction should be set as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.
Step 2 - Configure Dial-Out VPN Settings
Configure the Dial-Out Settings of the VPN tunnel:
- Set the Type of VPN to IPsec Tunnel
- Set the Server IP/Host Name for VPN to the address of the VPN server, in this example, London is 203.0.113.12
- Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
- Set the IPsec Security Method to High(ESP) and select AES with Authentication from the drop-down list
- Click the Advanced button to go into the Advanced settings for IPsec:
- Set the IKE phase 1 mode to Aggressive mode
- Set the Local ID to the ID that will be used to identify the router, in this case it will be “Liverpoolrouter” click OK to return to the VPN profile
Step 3 - Configure TCP/IP Network Settings
The IP address details for the VPN then need to be configured under TCP/IP Network Settings:
- The My WAN IP and Remote Gateway IP fields should be left blank
- Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
- Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel
Click OK on the VPN profile to save and apply it.
Once both sides of the VPN have been configured, if all the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] – [Connection Management], which will show the VPN listed in the status window:
- First Published: 05/11/2014
- Last Updated: 22/04/2021