A LAN-to-LAN Virtual Private Network (VPN) connection links two private networks to allow traffic to route directly between them in a private and secure manner while passing through the internet, which could otherwise be susceptible to eavesdropping or tampering.
This guide will demonstrate how to configure a Vigor 3900 or Vigor 2960 router to create a secure IPsec VPN tunnel with a Vigor 2860 or other DrayOS router.
This setup guide will demonstrate how to configure the VPN tunnel for Static IPs (Main Mode) or Dynamic IP(s) (Aggressive Mode)
An IPsec Main Mode VPN tunnel requires that both ends of the VPN have fixed IP addresses, the table below shows the setup details required for the VPN connection between the London router, which will be set up with a Dial-In connection and the Liverpool router which will be set up with a Dial-Out connection:
London |
Liverpool |
|
LAN Address |
192.168.1.0 |
10.1.1.0 |
LAN Subnet Mask |
255.255.255.0 |
255.255.255.0 |
Router's Address |
192.168.1.1 |
10.1.1.1 |
Public IP Address |
203.0.113..12 |
198.51.100.17 |
VPN Profile Name |
Liverpool |
London |
Call Direction |
Incoming |
Outgoing |
Protocols |
IPsec only |
IPsec only |
Pre-Shared Key |
xf1YMWdu06VWbG3 |
xf1YMWdu06VWbG3 |
Go to [VPN and Remote Access] > [VPN Profile] and click Add to create a new profile, select the Basic tab:
The VPN profile is ready to use with just the Basic tab configured. The setup of the Advanced and Proposal tabs is provided for additional reference information and other setup options.
Go to the Advanced tab, which has additional settings for the VPN:
Go to the Proposal tab, which has the IPsec protocol options available:
These settings can be left on their defaults, the VPN will use 3DES Encryption with SHA1 Authentication by default.
The [Dial-Out] proposal settings specified here control which protocols are used in a proposal when dialling out, so are not used for this side of the VPN.
The [Dial-In] setting controls which protocols are allowed; this can be left on its default setting of "acceptall". If this is set to "acceptabove", it will only allow IPsec connections using the protocols specified in the [Dial-Out] settings above.
Click Apply on that VPN profile to save and apply it.
This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router. Go to [VPN and Remote Access] > [LAN to LAN] and select the first un-used profile.
On that page, configure the Common Settings like so:
This needs to be Enabled, configured as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active.
The next step is to configure the Dial-Out Settings of the VPN tunnel:
Set the Type of VPN to IPsec Tunnel
Set the Server IP/Host Name for VPN to the address of the VPN server, in this example, London is 203.0.113.12
Set the Pre-Shared Key to the key required for the VPN tunnel, this can be entered directly or by clicking the IKE Pre-Shared Key button to enter it twice so that it can be validated
Set the IPsec Security Method to High(ESP) and select 3DES with Authentication from the drop-down list
The IP address details for the VPN then need to be configured under TCP/IP Network Settings:
The My WAN IP and Remote Gateway IP fields should be left blank
Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required
Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel
Click OK on that VPN profile to save and apply it.
Once both sides of the VPN have been configured, if all of the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] > [Connection Management], which will show the VPN listed in the status window:
How do you rate this article?