V. VPN (Virtual Private Networking)

DrayTek LAN-to-LAN SSL VPN Configuration Guide

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
LAN-to-LAN
SSL
TLS
Tunnel
Show all


An SSL VPN connection allows two or more DrayTek routers that support SSL VPN LAN to LAN to communicate using SSL / TLS security which by default uses TCP port 443. This provides normal LAN to LAN connectivity with routing between the two networks so that access between the two networks operates in the same way as if they were connected locally.

SSL tunnels can be useful in the following situations:

  • One or both routers has an Internet connection with a dynamic IP address
  • One of the routers is using a NAT (Network Address Translation) Internet connection
  • The Internet connection of either site is unable to pass-through IPsec VPN

This feature requires 3.8.0 firmware or later.



This example will demonstrate how to connect two DrayTek Vigor 2860 series routers with an SSL VPN tunnel.

 LondonLiverpool

LAN Address

192.168.1.0

10.1.1.0

LAN Subnet Mask

255.255.255.0

255.255.255.0

Router's Address

192.168.1.1

10.1.1.1

Public IP Address

203.0.113.12

198.51.100.17

VPN Profile Name

Liverpool

London

Call Direction

Incoming

Outgoing

Protocols

SSL VPN

SSL VPN

Login

Liverpool

Liverpool

Password (up to 11 characters)

xf1YMWdu06V

xf1YMWdu06V


Dial In VPN - London Router

Before configuring a VPN, ensure that the VPN services are activated under the [VPN and Remote Access] > [Remote Access Control] menu:

If the SSL VPN service needs to be enabled, tick the option and click OK, reboot the router when prompted for the service to be active.


The VPN tunnel on the router is configured as a Dial-In VPN connection to accept the connection attempt from the Liverpool router. Go to [VPN and Remote Access] > [LAN to LAN] and select the first un-used profile.


On that page, configure the 1. Common Settings:

It needs to be Enabled, configured as a Dial-In connection and the Idle Timeout should be set to 0 seconds, so that it does not disconnect when idle.

The Profile Name is set to "Liverpool" in this example because that is the site that will be connecting to this profile.


The next step is to configure the 3. Dial-In Settings of the VPN profile:

  1. Set the Allowed Dial-In Type to SSL Tunnel

  2. Enter the Username for the VPN tunnel, in this example "Liverpool" is the username

  3. Set the Password for the VPN tunnel, this example uses the password from the table above "xf1YMWdu06V". Please note that this field allows passwords of up to 11 characters in length


The IP address details for the VPN are configured in 5. TCP/IP Network Settings:

  1. The My WAN IP and Remote Gateway IP fields should be left on the default setting of "0.0.0.0"

  2. Specify the Network Address of the remote network under Remote Network IP and configure the subnet if required, the default of "255.255.255.0" will be suitable unless the subnet has been changed in the remote router's LAN IP configuration

  3. Ensure that the Local Network IP details are correct, these are pre-set and should not need to be changed generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on that VPN profile to save and apply it.


Dial-Out VPN – Liverpool Router

This needs to be configured as a Dial-Out VPN connection to initiate the connection with the London router. Go to [VPN and Remote Access] > [LAN to LAN] and select the first un-used profile.

On that page, configure the 1. Common Settings like so:

This needs to be Enabled, configured as a Dial-Out VPN and the Always on tickbox will need to be ticked so that the VPN is always active. The Profile Name is set to "London" to indicate the location / router that it will be connecting to.


The next step is to configure the 2. Dial-Out Settings of the VPN tunnel:

  1. Set the Type of VPN to SSL Tunnel

  2. Set the Server IP/Host Name for VPN to the address of the VPN server, in this example, London is 203.0.113.12

  3. If the SSL VPN Port on the remote router has been changed, specify the port in the Server Port (for SSL Tunnel) setting

  4. Enter the Username for the VPN tunnel, in this example "Liverpool" is the username, to match the setting on the remote router

  5. Set the Password for the VPN tunnel, this example uses the password from the table above "xf1YMWdu06V". This password must match the password on the remote router


The IP address details for the VPN is then configured under 5. TCP/IP Network Settings:

  1. The My WAN IP and Remote Gateway IP fields should be left on their default setting of "0.0.0.0"

  2. Specify the local IP address of the remote router under Remote Network IP and configure the subnet if required

  3. Ensure that the Local Network IP details are correct, these are pre-set and should not need changing generally but if the local router has multiple subnets, this could be changed to the subnet that will be used for the VPN tunnel

Click OK on that VPN profile to save and apply it.


Once both sides of the VPN have been configured, if all of the details are correct and the routers are able to contact each other without issue, the VPN should establish, this can be checked from [VPN and Remote Access] > [Connection Management], which will show the VPN listed in the status window:


Changing the SSL VPN Port

To use a port other than TCP 443 for the SSL VPN connection on a router, go to [SSL VPN] > [General Setup] and specify the alternative port in the Port setting, this changes the port used to receive SSL VPN connections:

To change the port used for Dial-Out VPN connections, change the Server Port (for SSL Tunnel) setting in the Dial-Out Settings of a LAN to LAN VPN profile:


How do you rate this article?

1 1 1 1 1 1 1 1 1 1