This article introduces how to set up an IPsec Tunnel in Main Mode between two Vigor Routers when the VPN client uses a static public IP address. When VPN client which is behind NAT, please use IPsec VPN in Aggressive mode instead.
VPN Server Setup
1. Create a VPN LAN to LAN profile for the peer VPN client router via VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile.
2. Edit the profile as follows:
- Check Enable this profile
- Select Dial-In for Call Direction
- Select the WAN interface that the VPN client will dial In from
- Change Idle Timeout to 0 second
- Allow IPsec Tunnel in Dial-In Settings
- Check Specify Remote VPN Gateway and enter the IP address of the peer VPN Client.
- Check IKE Pre-Shared Key and enter the Pre-shared Key
- At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask
- Click OK to save the VPN profile.
VPN Client Setup
1. Similarly, create a profile at VPN and Remote Access >> LAN to LAN
- Give a Profile Name
- Check Enable this profile
- Select Dial-Out for Call Direction
- Select the WAN interface that the VPN client will dial out from
- Check Always On
- Select IPsec Tunnel in Dial-Out Settings
- Input VPN server's WAN IP or domain name at Server IP/Host Name for VPN
- Choose Main mode
- Input IKE Pre-Shard Key as the same as what was configured on VPN Server
- Set phase 1’s Encryption and Authentication you want to use
- Set phase 2’s Security Protocol, Encryption, and Authentication you want to use
- Set phase 1’s and phase 2’s Key Lifetime in IKE Advanced Settings(optional)
In TCP/IP Network Settings, enter VPN Server's LAN Network in Remote Network IP and Remote Network Mask. Click OK to save the profile
After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We can check the VPN status via VPN and Remote Access >> Connection Management page.
VPN Server Setup
1. Go to the VPN / General Setup / IPsec menu page.
- Enable the IPsec Service.
Then Click Apply to save the settings.
2. Go VPN / Site-to-Site VPN.
- Click +Add to create a profile.
- Enter a profile name and check enabled the profile.
General
- Select Dial-In in Direction.
- Select IPsec as the VPN Type.
- Check IKEv1/v2.
IKE Authentication
- Choose Main Mode.
- Enable Specify VPN Peer.
- Enter the IP address of the peer VPN Client in Remote IP.
- Enter the Pre-Shared Key for this client.
- (Optional)Specify the encryption and the security protocol for IKE Phase1 and Phase2 in More settings.
Network
- Enter the Local Network of the VPN server and the Remote Network of the VPN client.
Click Apply to save.
VPN Client Setup
1. Go to VPN / General Setup / IPsec.
Click Apply to save the settings.
2. Go VPN / Site-to-Site VPN.
- Click +Add to create a profile.
- Enter a profile name and check enabled the profile.
General
- Select Dial-Out for the Direction.
- Select IPsec as the VPN Type.
- Select IKEv1 as IPsec Dial-Out Protocol.
- Enter the remote server address or domain name.
- Specify a Dial-Out Mode. Here, we choose Always On.
IKE Authentication
- Choose Main Mode.
- Choose Pre-Shared Key for Authentication.
- Enter the Pre-Shared Key configured in the dial-in profile on the VPN server.
- (Optional)Specify the encryption and the security protocol for IKE Phase1 and Phase2 in More settings.
Network
- Enter the Local Network of the VPN client and the Remote Network of the VPN server.
Click Apply to save.
After completing the configuration, the VPN Client will automatically dial up the IPsec tunnel. We can check the VPN status in VPN / VPN Connection Status.
VPN Server Setup
1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:
- In the Basic tab, enter Profile name and Enable this profile
- Leave Auto Dial-Out and For Remote Dial-In User options as Disabled.
- Select the WAN Interface that the VPN Client will dial in from for Dial-Out Through
- Enter the local network IP and subnet of VPN server in Local IP /Subnet Mask
- Enter the VPN Peer's WAN IP in Remote Host
- Enter the LAN network of the peer VPN router in Remote IP/ Subnet Mask
- Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
- Enter the Pre-Shared Key for the VPN Client/ this Static IP
- Click Apply to save the profile.
VPN Client Setup
1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:
- In the Basic tab, enter Profile name and Enable this profile
- Enable Auto Dial-Out
- Select the WAN Interface that the VPN Client will dial out the tunnel fromDial-Out Through
- Enter the local network IP and subnet of the VPN client itself in Local IP /Subnet Mask
- Enter the VPN Server's WAN IP or Domain name in Remote Host
- Enter the LAN network of the peer VPN server in Remote IP/ Subnet Mask
- Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
- Enter the Pre-Shared Key
- Click Apply to save the profile.
After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We may check the VPN status via VPN and Remote Access >> Connection Management page.