V. VPN (Virtual Private Networking)

Vigor 3900 to Vigor 2860 LAN-to-LAN IPsec VPN Configuration Guide

Products:

Show all

Keywords:

A LAN-to-LAN Virtual Private Network (VPN) connection links two private networks to allow traffic to route directly between them in a private and secure manner while passing through the internet, which could otherwise be susceptible to eavesdropping or tampering.

This guide will demonstrate how to configure a Vigor 3900 or Vigor 2960 router to create a secure IPsec VPN tunnel with a Vigor 2860 or other DrayOS router.

This setup guide will demonstrate how to configure the VPN tunnel for Static IPs (Main Mode) or Dynamic IP(s) (Aggressive Mode)

Static IP - Main Mode
Dynamic IPs - Aggressive Mode

Static IP - Main Mode

An IPsec Main Mode VPN tunnel requires that both ends of the VPN have fixed IP addresses, the table below shows the setup details required for the VPN connection between the London router, which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection:

	London	Liverpool
LAN Address	192.168.1.0	10.1.1.0
LAN Subnet Mask	255.255.255.0	255.255.255.0
Router's Address	192.168.1.1	10.1.1.1
Public IP Address	203.0.113..12	198.51.100.17
VPN Profile Name	Liverpool	London
Call Direction	Incoming	Outgoing
Protocols	IPsec only	IPsec only
Pre-Shared Key	xf1YMWdu06VWbG3	xf1YMWdu06VWbG3

Dial In VPN - London Router:

Go to [VPN and Remote Access] > [VPN Profile] and click Add to create a new profile, select the Basic tab:

Give the Profile a suitable name, please note that this cannot be changed after clicking Apply to save the VPN profile for the first time
Configure the Dial-Out Through option with the correct WAN interface and if necessary Alias IP address so that the router allows this VPN connection on that WAN interface or IP address
Set the Local IP / Subnet Mask with the local network address, in this example, the router IP is 192.168.1.1, this needs to be entered as the Network address which for the 192.168.1.x network with a /24 subnet mask, would be 192.168.1.0, the subnet mask specified should be the same as the subnet mask specified in the LAN configuration
Specify the Remote Host as the WAN IP address of the other router, in this example, the WAN IP of the remote side is 198.51.100.17
Set the Remote IP/ Subnet Mask with the remote network's Network address, in this example that is 10.1.1.0 with a subnet mask of 255.255.255.0/24
Set the IKE Phase 1 setting to Main Mode
Set the Auth Type to PSK
Enter the Preshared Key for the connection and ensure that this is the same for both routers
Set the Security Protocol to ESP, which gives an encrypted and authenticated VPN tunnel. If this is set to AH mode, the VPN tunnel will be authenticated (to ensure packets are not tampered with), but will not be encrypted

The VPN profile is ready to use with just the Basic tab configured. The setup of the Advanced and Proposal tabs is provided for additional reference information and other setup options.

Go to the Advanced tab, which has additional settings for the VPN:

The Phase1/2 Key Life Time settings should be left on their default values
The Dead Peer Detection Status option enables or disables Dead Peer Detection, which is necessary for an IPsec VPN connection to determine whether it can pass traffic or not, this should be set to Enable with its default values. On high latency connections, increasing the values here can help with VPN stability
Ping to Keep Alive, when enabled, will need a target IP address configured. This will ping the target IP, which should be an IP address accessible only through the VPN connection i.e. a remote server or the remote router IP. If the IP fails to respond, the router will re-start the VPN connection
Route / NAT Mode should be left in Route mode for this example, NAT mode would give a one-way connection and should usually only be used for connecting to remote teleworker VPN connections
Apply NAT Policy is covered in this guide
Netbios Naming Packet allows Netbios packets (using by Windows networking for network computer discovery) to pass across the VPN tunnel. This can be set to Enable to match other DrayTek (DrayOS) routers
Multicast via VPN allows Multicast packets to be passed through the VPN tunnel
RIP via VPN allows RIP (Routing Information Protocol) to go through the VPN, if that is in use on the local or remote router's network

Go to the Proposal tab, which has the IPsec protocol options available:

These settings can be left on their defaults, the VPN will use 3DES Encryption with SHA1 Authentication by default.

The [Dial-Out] proposal settings specified here control which protocols are used in a proposal when dialling out, so are not used for this side of the VPN.

The [Dial-In] setting controls which protocols are allowed; this can be left on its default setting of "acceptall". If this is set to "acceptabove", it will only allow IPsec connections using the protocols specified in the [Dial-Out] settings above.

Click Apply on that VPN profile to save and apply it.

Dial-Out VPN – Liverpool Router:

This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router. Go to [VPN and Remote Access] > [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:

This needs to be Enabled, configured as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.

The next step is to configure the Dial-Out Settings of the VPN tunnel:

Set the Type of VPN to IPsec Tunnel
Set the Server IP/Host Name for VPN to the address of the VPN server, in this example, London is 203.0.113.12
Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
Set the IPsec Security Method to High(ESP) and select 3DES with Authentication from the drop-down list

The IP address details for the VPN then need to be configured under TCP/IP Network Settings:

The My WAN IP and Remote Gateway IP fields should be left blank
Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on that VPN profile to save and apply it.

Dynamic IPs - Aggressive Mode

An IPsec Aggressive Mode VPN connection can be used when one or both sides of the VPN tunnel have dynamic IP addresses. If possible it's preferrable to use Main mode instead of aggressive mode because Main mode is more secure, but the setup instructions for aggressive mode are included below.

The London router will be set up with a Dial-In connection and the Liverpool router will be set up with a Dial-Out connection, the table below shows the details of the two networks.

Aggressive mode VPNs use a separate identifier, this needs to be configured as the Local / Peer ID in the VPN settings, this example will use “Vigor2860” as that ID but it can be set to any text, even an email address, it has no significance outside of identifying the client connecting.

	London	Liverpool
LAN Address	192.168.1.0	10.1.1.0
LAN Subnet Mask	255.255.255.0	255.255.255.0
Router's Address	192.168.1.1	10.1.1.1
Public IP Address	213.120.81.12	Dynamic
VPN Profile Name	Liverpool	London
Call Direction	Incoming	Outgoing
Protocols	IPsec only	IPsec only
Pre-Shared Key	xf1YMWdu06VWbG3	xf1YMWdu06VWbG3
Local ID	n/a	Vigor2860

Dial In VPN - London Router:

Go to [VPN and Remote Access] > [VPN Profile] and click Add to create a new profile, select the Basic tab:

Give the Profile a suitable name, please note that this cannot be changed after clicking Apply to save the VPN profile for the first time
Configure the Dial-Out Through option with the correct WAN interface and if necessary Alias IP address so that the router allows this VPN connection on that WAN interface or IP address
Set the Local IP / Subnet Mask with the local network address, in this example, the router IP is 192.168.1.1, this needs to be entered as the Network address which for the 192.168.1.x network with a /24 subnet mask, would be 192.168.1.0, the subnet mask specified should be the same as the subnet mask specified in the LAN configuration
The Remote Host address should be left on its default of "0.0.0.0" to allow incoming connections from dynamic IP addresses
Set the Remote IP/ Subnet Mask with the remote network's Network address, in this example that is 10.1.1.0 with a subnet mask of 255.255.255.0/24
Set the IKE Phase 1 setting to Aggressive Mode so that the Local ID and Remote ID fields are visible
The Local ID setting is not required and can be left blank
The Remote ID setting should be the ID which will be configured on the Liverpool router in a later step, which will be "Vigor2860"
Set the Auth Type to PSK
Enter the Preshared Key for the connection and ensure that this is the same for both routers
Set the Security Protocol to ESP, which gives an encrypted and authenticated VPN tunnel. If this is set to AH mode, the VPN tunnel will be authenticated (to ensure packets are not tampered with), but will not be encrypted

The VPN profile is ready to use with just the Basic tab configured. The setup of the Advanced and Proposal tabs is provided for additional reference information and other setup options.

Go to the Advanced tab, which has additional settings for the VPN:

The Phase1/2 Key Life Time settings should be left on their default values
The Dead Peer Detection Status option enables or disables Dead Peer Detection, which is necessary for an IPsec VPN connection to determine whether it can pass traffic or not, this should be set to Enable with its default values. On high latency connections, increasing the values here can help with VPN stability
Ping to Keep Alive, when enabled, will need a target IP address configured. This will ping the target IP, which should be an IP address accessible only through the VPN connection i.e. a remote server or the remote router IP. If the IP fails to respond, the router will re-start the VPN connection
Route / NAT Mode should be left in Route mode for this example, NAT mode would give a one-way connection and should usually only be used for connecting to remote teleworker VPN connections
Apply NAT Policy is covered in this guide
Netbios Naming Packet allows Netbios packets (using by Windows networking for network computer discovery) to pass across the VPN tunnel. This can be set to Enable to match other DrayTek (DrayOS) routers
Multicast via VPN allows Multicast packets to be passed through the VPN tunnel
RIP via VPN allows RIP (Routing Information Protocol) to go through the VPN, if that is in use on the local or remote router's network

Go to the Proposal tab, which has the IPsec protocol options available:

These settings can be left on their defaults, the VPN will use 3DES Encryption with SHA1 Authentication by default.

The [Dial-Out] proposal settings specified here control which protocols are used in a proposal when dialling out, so are not used for this side of the VPN.

Click Apply on that VPN profile to save and apply it.

Dial-Out VPN – Liverpool Router:

This needs to be Enabled, configured as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.

The next step is to configure the Dial-Out Settings of the VPN tunnel:

Set the Type of VPN to IPsec Tunnel
Set the Server IP/Host Name for VPN to the address of the VPN server, in this example, London is 203.0.113.12, this can be entered as a hostname or an IP address
Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
Set the IPsec Security Method to High(ESP) and select 3DES with Authentication from the drop-down list
Click the Advanced button to go into the Advanced settings for IPsec:

Set the IKE phase 1 mode to Aggressive mode
Set the Local ID to the ID that will be used to identify the router, in this case it will be “Vigor2860”

Click OK to return to the VPN profile

The IP address details for the VPN then need to be configured under TCP/IP Network Settings:

The My WAN IP and Remote Gateway IP fields should be left on their default settings
Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on the VPN profile to save and apply it.

Once both sides of the VPN have been configured, if all of the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] > [Connection Management], which will show the VPN listed in the status window: