V. VPN (Virtual Private Networking)

Teleworker VPN - IPsec - DrayTek Smart VPN Client

Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2832
Show all

DH Group
Show all

The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.

The DrayTek Smart VPN Client software is free for use and can use all protocols that the DrayTek routers currently support such as PPTPIPsecL2TP over IPsec and SSL VPN protocols (depending on router model).

In this example, the Smart VPN Client will be used to make an IPsec Tunnel VPN connection to a DrayTek router. When a user dials in to the router, this is authenticated with a global Pre-Shared-Key, which is used by all users connecting from a dynamic or unknown IP address. The use of a global Pre-Shared-Key means that all connections from IP Addresses which do not match specified IP Addresses in existing VPN profiles will be authenticated against the global Pre-Shared-Key instead. It is very important to use a very long random global Pre-Shared-Key.

This connection method provides a secure link to the router and its connected network, without Username and Password authentication. The IPsec Tunnel VPN accesses only the DrayTek Vigor router's network, without passing Internet traffic through the tunnel. If a Username and Password configuration are required to identify user connections then consider L2TP over IPsec instead.

Router Configuration

To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:

RemoteDial In Profile

Enable the profile and tick IPsec Tunnel as an Allowed Dial-In Type. With only this mode selected, an individual username and password cannot be configured, only the IPsec Pre-Shared Key is used for authentication. Which is configured in the next step:

RemoteDial In DialInUser

Click OK on that page to save the settings for that profile, then go to [VPN and Remote Access] > [IPsec General Setup] to set the Pre-Shared Key for the VPN connection - this is entered twice to verify that the Pre-Shared key is correctly entered.

On this page, it's also possible to select which security method is used for teleworker VPN connections, in this example, AES is selected:

RemoteDial In IPSecGeneralSetup

Click OK on that page to save and apply the settings.

PC Configuration

Creating an IPsec Tunnel VPN in Windows requires the Windows Firewall to function. The DrayTek Smart VPN Client automatically configures and secures the necessary Windows Firewall policy settings when establishing the tunnel. If the Windows Firewall is disabled, the Smart VPN Client will activate the tunnel but it will not be possible to use the IPsec VPN Tunnel.

RemoteDial In WindowsFirewall

Open the DrayTek Smart VPN Client, go to the Profiles section and click Add to create a new VPN profile:

RemoteDial In SmartVPNAdd

This will open a new window to configure the VPN settings:

RemoteDial In SmartVPNSettings

In the new profile, set the Profile Name to identify the VPN connection. In this example, the type of VPN is IPsec Tunnel.

The address or host name of the VPN server needs to be specified in the VPN Server IP/Host Name field.

IPSec requires the following settings:


Select the network interface on the PC that will be used to establish the VPN tunnel

Type of IPSec

Standard IPSec Tunnel

Remote Subnet

The Network Address of the network that the VPN tunnel will be established with.
In this example, the IP range is to, with a /24 subnet mask.
The resulting network address is

Remote Subnet Mask

The Subnet Mask in use on the network that the VPN tunnel will be established with

Mainmode Keyexchange Method

Select DH Group 14. The DH (Diffie Hellman) Group setting controls the complexity of the key used for the IPSec key exchange process

Security Method

Select High (ESP)
Select a security method that your router supports. In this example, AES256 encryption with SHA1 authentication will be used.

Authentication Method

Set the Pre-shared Key that is configured on the router under [VPN and Remote Access] > [IPsec General Setup]

Enable PING to keep alive

This sends pings across the VPN link to keep the tunnel established. Enabling this will keep the tunnel active while the VPN tunnel is established. If this is disabled, there may be a delay when initially using the VPN while the PC establishes the VPN tunnel.

Ping to the IP

An IP address on the router's network that will always be accessible and responds to pings. This can use the router's LAN IP address

Click OK to save the settings for the VPN profile.

Establishing the IPsec Tunnel VPN Connection

To use the VPN and establish the IPsec Tunnel link, disconnect from the DrayTek Vigor router's network and establish the VPN at the intended location or using an alternative Internet connection. The router's VPN server cannot respond to connection attempts from its local network.

Select the profile from the list on the main window and click the Active button:

RemoteDial In SmartVPNClickActive

This will pop-up a window to select the network adapter that will be used. The Pre-Shared Key setting is also shown and can be changed if required:

Tick "Don't show this confirmation window..." if these settings will not need to be changed.

RemoteDial In SmartVPNAuthentication

Click OK and DrayTek Smart VPN will configure the VPN tunnel.

Once the VPN is connected, the main window will show the status of this VPN configuration:

RemoteDial In SmartVPNConnected

It will also show the status in the computer's System Tray, which can be used to disconnect the VPN when necessary.

Double-click the green system tray icon to display the SmartVPN client. Alternatively, right click the SmartVPN client system tray icon for quick access to connect/disconnect & statistics options:

RemoteDial In SmartVPNSytemTray

Check VPN Status on a Vigor Router

When connected, the VPN status can be viewed on the router in the [VPN and Remote Access] > [Connection Management] section, which will display the connecting IP, the local IP address of the client connected and the protocol that it is using:

RemoteDial In ConnectionMangement

How do you rate this article?

1 1 1 1 1 1 1 1 1 1