IPsec Tunnel Main Mode between DrayTek Routers (Client with Dynamic IP)
This article shows how to establish an IPsec Tunnel in Main Mode between two Vigor Routers when the VPN client has a dynamic public IP address. If the VPN client is behind NAT, it is recommended that IPsec VPN be used in Aggressive mode instead.
VPN Server Setup
1. Go to VPN and Remote Access >>IPsec General Setup page and configure the General IPsec Pre-Shared Key. The Pre-Shared Key configured here will be used for authenticating all IPsec Main mode VPN clients which use dynamic IP addresses.
2. Create a VPN LAN to LAN profile for the peer VPN client router via VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile.
3. Edit the profile as follows:
- Check Enable this profile
- Select Dial-In for Call Direction
- Select the WAN interface that the VPN client will dial In from
- Change Idle Timeout to 0 second
- Allow IPsec Tunnel in Dial-In Settings
- At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask
- Click OK to save the VPN profile.
VPN Client Setup
1. Similarly, create a profile at VPN and Remote Access >> LAN to LAN
- Give a Profile Name
- Check Enable this profile
- Select Dial-Out for Call Direction
- Select the WAN interface that the VPN client will dial out from
- Check Always On
- Select IPsec Tunnel in Dial-Out Settings
- Input VPN server's WAN IP or domain name at Server IP/Host Name for VPN
- Choose Main mode
- Input IKE Pre-Shard Key as the same as what was configured on VPN Server
- Set phase 1’s Encryption and Authentication you want to use
- Set phase 2’s Security Protocol, Encryption, and Authentication you want to use
- Set phase 1’s and phase 2’s Key Lifetime in IKE Advanced Settings(optional)
- In TCP/IP Network Settings, enter VPN Server's LAN Network in Remote Network IP and Remote Network Mask
- Click OK to save the profile
After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We can check the VPN status via VPN and Remote Access >> Connection Management page.
VPN Server Setup
1. Go to the VPN / General Setup / IPsec menu page.
- Enable the IPsec Service.
- For General Site-to-Site PSK, enter a Pre-Shared Key
Then Click Apply to save the settings.
2. Go VPN / Site-to-Site VPN.
- Click +Add to create a profile.
- Enter a profile name and check enabled the profile.
General
- Select Dial-In in Direction.
- Select IPsec as the VPN Type.
- Check IKEv1/v2.
IKE Authentication
- Choose Main Mode.
- (Optional)Specify the encryption and the security protocol for IKE Phase1 and Phase2 in More settings.
Network
- Enter the Local Network of the VPN server and the Remote Network of the VPN client.
Click Apply to save.
VPN Client Setup
1. Go to VPN / General Setup / IPsec.
- Enable IPsec Service.
Click Apply to save the settings.
2. Go VPN / Site-to-Site VPN.
- Click +Add to create a profile.
- Enter a profile name and check enabled the profile.
General
- Select Dial-Out for the Direction.
- Select IPsec as the VPN Type.
- Select IKEv1 as IPsec Dial-Out Protocol.
- Enter the remote server address or domain name.
- Specify a Dial-Out Mode. Here, we choose Always On.
IKE Authentication
- Select Main Mode.
- Select Pre-Shared Key for Authentication.
- Enter the Pre-Shared Key configured on the VPN server.
- (Optional)Specify the encryption and the security protocol for IKE Phase1 and Phase2 in More settings.
Network
- Enter the Local Network of the VPN client and the Remote Network of the VPN server.
Click Apply to save.
After completing the configuration, the VPN Client will automatically dial up the IPsec tunnel. We can check the VPN status in VPN / VPN Connection Status.
VPN Server Setup
1. Go to VPN and Remote Access >> IPsec General Setup page, enter the Preshared Key and select the WAN Profile that the VPN client will dial in from. The Preshared Key configured here will be used for authenticating all the IPsec main mode clients which use dynamic IP addresses. In other words, when there are more than one VPN clients, they need to use the same IPsec Preshared Key as what VPN server configured here.
2. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:
- In the Basic tab, enter Profile name and Enable this profile
- Leave Auto Dial-Out and For Remote Dial-In User options as Disabled.
- Select the WAN Interface that the VPN Client will dial in from for Dial-Out Through
- Enter the local network IP and subnet of VPN server in Local IP /Subnet Mask
- Use IP 0.0.0.0 in Remote Host (Remote Host IP 0.0.0.0 means this VPN profile accepts any Peer IP address and is suitable when the VPN client is with a dynamic IP address)
- Enter the LAN network of the peer VPN router in Remote IP/ Subnet Mask
- Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
- Leave Pre-Shared Key as Empty.
- Click Apply to save the profile.
VPN Client Setup
1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:
- In the Basic tab, enter Profile name and Enable this profile
- Enable Auto Dial-Out
- Select the WAN Interface that the VPN Client will dial out the tunnel fromDial-Out Through
- Enter the local network IP and subnet of the VPN client itself in Local IP /Subnet Mask
- Enter the VPN Server's WAN IP or Domain name in Remote Host
- Enter the LAN network of the peer VPN server in Remote IP/ Subnet Mask
- Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
- Enter the Pre-Shared Key
- Click Apply to save the profile.
After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We may check the VPN status via VPN and Remote Access >> Connection Management page.
Published On: 2016-05-18
Was this helpful?