V. VPN (Virtual Private Networking)

Vigor 3900 LAN-to-LAN IPsec VPN Configuration Guide

Products:
Vigor 2960
Vigor 3900
Keywords:
2960
IPsec
LAN-to-LAN
VPN

A LAN-to-LAN Virtual Private Network (VPN) connection links two private networks to allow traffic to route directly between them in a private and secure manner while passing through the internet, which could otherwise be susceptible to eavesdropping or tampering.

This guide will demonstrate how to configure two Vigor 3900 or Vigor 2960 routers to create a secure IPsec VPN tunnel between the two sites. This setup method requires that each site has a static internet IP address.


The diagram above has an overview of the details for each site, the table below shows the setup details required for an IPsec Main Mode VPN connection between the London router, which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection:

London

Liverpool

LAN Address

192.168.1.0

10.1.1.0

LAN Subnet Mask

255.255.255.0

255.255.255.0

Router's Address

192.168.1.1

10.1.1.1

Public IP Address

203.0.113..12

198.51.100.17

VPN Profile Name

Liverpool

London

Call Direction

Incoming

Outgoing

Protocols

IPsec only

IPsec only

Pre-Shared Key

xf1YMWdu06VWbG3

xf1YMWdu06VWbG3


Dial In VPN - London Router:

Go to [VPN and Remote Access] > [VPN Profile] and click Add to create a new profile, select the Basic tab:

  • Give the Profile a suitable name, please note that this cannot be changed after clicking Apply to save the VPN profile for the first time
  • Configure the Dial-Out Through option with the correct WAN interface and if necessary Alias IP address so that the router allows this VPN connection on that WAN interface or IP address
  • Set the Local IP / Subnet Mask with the local network address, in this example, the router IP is 192.168.1.1, this needs to be entered as the Network address which for the 192.168.1.x network with a /24 subnet mask, would be 192.168.1.0, the subnet mask specified should be the same as the subnet mask specified in the LAN configuration
  • Specify the Remote Host as the WAN IP address of the other router, in this example, the WAN IP of the remote side is 198.51.100.17
  • Set the Remote IP/ Subnet Mask with the remote network's Network address, in this example that is 10.1.1.0 with a subnet mask of 255.255.255.0/24
  • Set the IKE Phase 1 setting to Main Mode
  • Set the Auth Type to PSK
  • Enter the Preshared Key for the connection and ensure that this is the same for both routers
  • Set the Security Protocol to ESP, which gives an encrypted and authenticated VPN tunnel. If this is set to AH mode, the VPN tunnel will be authenticated (to ensure packets are not tampered with), but will not be encrypted

The VPN profile is ready to use with just the Basic tab configured. The setup of the Advanced and Proposal tabs is provided for additional reference information and other setup options.

Go to the Advanced tab, which has additional settings for the VPN:

  • The Phase1/2 Key Life Time settings should be left on their default values
  • The Dead Peer Detection Status option enables or disables Dead Peer Detection, which is necessary for an IPsec VPN connection to determine whether it can pass traffic or not, this should be set to Enable with its default values. On high latency connections, increasing the values here can help with VPN stability
  • Ping to Keep Alive, when enabled, will need a target IP address configured. This will ping the target IP, which should be an IP address accessible only through the VPN connection i.e. a remote server or the remote router IP. If the IP fails to respond, the router will re-start the VPN connection
  • Route / NAT Mode should be left in Route mode for this example, NAT mode would give a one-way connection and should usually only be used for connecting to remote teleworker VPN connections
  • Apply NAT Policy is covered in this guide
  • Netbios Naming Packet allows Netbios packets (using by Windows networking for network computer discovery) to pass across the VPN tunnel
  • Multicast via VPN allows Multicast packets to be passed through the VPN tunnel
  • RIP via VPN allows RIP (Routing Information Protocol) to go through the VPN, if that is in use on the local or remote router's network


Go to the Proposal tab, which has the IPsec protocol options available:

These settings can be left on their defaults, the VPN will use 3DES Encryption with SHA1 Authentication by default.

The [Dial-Out] proposal settings specified here control which protocols are used in a proposal when dialling out, so are not used for this side of the VPN.

The [Dial-In] setting controls which protocols are allowed; this can be left on its default setting of "acceptall". If this is set to "acceptabove", it will only allow IPsec connections using the protocols specified in the [Dial-Out] settings above.

Click Apply on that VPN profile to save and apply it.


Dial-Out VPN – Liverpool Router:

Go to [VPN and Remote Access] – [VPN Profile] and click Add to create a new profile, select the Basic tab:

  • Give the Profile a suitable name, please note that this cannot be changed after clicking Apply to save the VPN profile for the first time
  • Configure the Dial-Out Through option with the correct WAN interface and if necessary Alias IP address so that the router allows this VPN connection on that WAN interface or IP address
  • Set the Local IP / Subnet Mask with the local network address, in this example, the router IP is 10.1.1.1, this needs to be entered as the Network address which for the 10.1.1.x network with a /24 subnet mask, would be 10.1.1.0, the subnet mask specified should be the same as the subnet mask specified in the LAN configuration
  • Specify the Remote Host as the WAN IP address of the other router, in this example, the WAN IP of the remote side is 203.0.113.12
  • Set the Remote IP/ Subnet Mask with the remote network's Network address, in this example that is 192.168.1.0 with a subnet mask of 255.255.255.0/24
  • Enter the Preshared Key for the connection and ensure that this is the same for both routers

Click OK on that VPN profile to save and apply it.


Once both sides of the VPN have been configured, if all of the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] > [Connection Management], which will show the VPN listed in the status window:



How do you rate this article?

1 1 1 1 1 1 1 1 1 1

Comments

From: DF
30/07/2016

Connected immediately from my 2830 in the office to 2960 at Data Centre.
Thanks