iPhone IOS, iPad or Mac OSX to DrayTek Vigor 2860 or 3900 via VPN Connection

The newer Mac and IOS versions no longer support the Microsoft PPTP versions and so connecting to your office or home has become more difficult unless you are using MAC OSX Server or similar. Here we are going to go over how to connect your IOS or OSX device to your DrayTek router so that you can use your local LAN or browse the internet as if you were back at home.

If you are looking for a service to connect you to the UK for internet browsing whilst abroad, please feel free to enquire about our UK VPN dial-in services.

First of all log in to your router control panel as normal, in this case we are looking at a 3900, but the 2860 is the same:

Firstly, we are using an L2TP over IPSec connection in this instance, so let's make sure that the services are being supported. Go to VPN and Remote Access and then Remote Access Control and make sure that the L2TP and IPSec services are enabled, as below:

Next we need to set-up the IPSec pre-shared secret. To do this we go to IPSec General Setup and enter the shared secret that all of the IPSec sial-in users will need to have:

In this example we are leaving the incoming internet port as WAN1 and the internal network DHCP profile as LAN1 but you should configure these as appropriate for your network.

Now if you are using the router's DHCP services then you can skip the next step but in this example the 3900 is part of a Windows server network and the servers provide DHCP and so we are going to configure the router to pass on the DHCP from the server as the users will need to access the server network remotely. To this end we go to PPP General Setup and click the L2TP tab at the top:

From the above I am selecting to enable DHCP and choosing the DHCP Server Location as LAN1 as it is in this case. I then enter the DHCP Server IP Address with the Windows Server providing the DHCP services. 

Go to User Management and then User Profiles and select Add:

Enter the details of the user and click the tick box to enable the VPN. Scroll down to the PPTP/L2TP/SSL section and enable L2TP Dial-in for this user and then click Apply:

Now you can set-up your IOS or OSX Apple clients:

Go to Settings then General and select VPN and Add new VPN configuration:

Change the VPN type to L2TP: 

Now enter the details you entered for the VPN user:

Once you have entered the details, click Done.

Now go back to the settings page, find the VPN option and click the slider on the right to start the VPN:

Once the VPN has connected you will be able to see the VPN icon at the top of your screen:

How to be 100% sure you are not opening a dangerous attachment

If you are in the market for some new employees then you may be receiving quite a few emails daily on the subject, but here is one to avoid:

In this case the user is viewing email using Microsoft Outlook. If we have a closer look by clicking the attachment ONCE we can see that the document suggests us opening the document fully and enabling editing:

Anything that asks you to enable content or enable editing is likely containing trouble. Microsoft Office Word and other Office documents can contain code that can harm your computer and that should be avoided. The above is not a function of Microsoft Word it is simply the page they have created to try and persuade you to enable their code.

Let's go over a few quick checks that we can use to decide if we like this or not anyway:

1. Before even thinking about the attachment, look at the sender address: Karen Baltzley <Dempsey@crediblesons.com> These addresses do not make any sense, as the spammer has not thought to align the email address with the display name of the sender - this is spam. We can also see that the attachment author is someone called ojeawlbgnpbgmob which is unlikely to be a real name.

2. Look at the signing of the email - because these spammers send email by volume they do not want to enter any text by which your IT team can filter their messages out, and so they only want to use generic words. As a result they have not signed the email Karen Baltzley, they have just left it blank - this is spam.

3. Reply to the message instead of opening the attachment if you are in any doubt - this is a great way of being 100% sure. Spammers do not send email from proper addresses, this would open them to the risk of being traced or tracked down. So if they are a spammer, the email will just bounce back an error message. If you have any doubt at all reply to the email.

4. Lastly, the risk inherent in Microsoft Office documents, what with macros and other code, means that very few legitimate businesses send them unsolicited. Any invoice or quote in a Microsoft Office document format is questionable and you should reply to them asking for a PDF copy that cannot be so easily tampered with.

If you have satisfied yourself with all of the above then you can open an attachment feeling pretty safe, and believe me, it is worth the trouble. You do not want to find yourself buying Bitcoins in the middle of the night trying to decrypt yesterdays work before the boss gets back from their holiday.

DrayTek Vigor 2830/2860 to 3300/V/+ router IPSec VPN

This example is for an environment with a static IP at each office.

Firstly let us set-up the 3300 head office router:

After logging in, go to the VPN menu, then to IPSec and then to 'Policy Table'

In this example we are going to use AES encryption with authentication for the maximum security available.

Firstly we enable the profile.

We name the profile something that explains the VPN and then we choose preshared key, which in this example is our preferred security key. Our security protocol will be ESP and we choose NAT Traversal to be enabled. In this example I am not enabling NetBIOS but if you are adding a VPN to extend a Windows domain then you should choose Pass here.

As we are connecting to another DrayTek device we are not going to change the default time-outs but if you do, they must be mirrored at the other end to enable the VPN. We will change the security settings though as we wish to ensure AES256-sha1 encryption and authentication.

We are ticking the PFS Perfect Forward Secrecy box also:

Now we can click Apply and configure the DrayTek Vigor 2830/2860...

Under the VPN menu, go to Lan to LAN to set-up your connection to the DrayTek 3300

Click the number corresponding to the first available unused profile...

Now we are going to enter the details required to connect to the 3300 router:

We are once again giving it a name relevant to the connection. In this case we are connecting through WAN2 but you can choose WAN1 if you are using ADSL/VDSL

NetBIOS should be enabled/disabled depending on whether you are allowing file access to Windows machines across the VPN. In most cases with Windows machines you would pass NetBIOS packets.

The call direction is set to Both to allow either end to start the VPN.

Under Dial-Out settings we set the VPN type to IPSec once again.

We enter the domain name/ip address of the external interface of the other 3300 router in the box below.

We now tick the Pre-Share Key box to the right and click the Pre-Shared Key button to enter the same key as we entered into the 3300 Pre-Shared Key box.

Below that we select the High(ESP) option and choose AES with Authentication as we did on the 3300

Now click the Advanced Box:

We are mirroring the settings from the 3300 here so we choose the AES256-SHA1_G5 for phase one and AES-256 for the phase two proposal.

Once again we select the Perfect Forward Secret option and the timeouts are already consistent.

Click OK when done.

Now under IPSec security method, tick only the AES box and then enter the IP address details at the bottom of the page:

We enter the external IP of the 2860/2830 first in the My WAN IP box.

Enter the remote 3300 router external interface address in Remote Gateway IP addres box.

Then enter the remote DrayTek 3300 internal network subnet details in the two boxes below that.

Finally enter the DrayTek 2860/2830 local network subnet details in the two boxes below that.

Click OK when done.

Now under VPN and Remote Access on the 2860/2830 you should see the connection as live:

Buy DrayTek routers here 

DrayTek 3300 to Watchguard Firebox 10.2 Core X VPN

To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you should be able to find your way round from these instructions. These instructions are based on using the configuration software rather than the web page as this example is an X550e system that does not support the web interface.

Firstly you will need to login to your Firebox using the username and start your policy manager.

From the VPN menu at the top, select Branch Office Gateways as below:

You will be presented with the BOVPN gateways box:

Click add and fill in your details which are discussed below:

Firstly give your gateway a name at the top of the page - I usually find that the location of the gateway is the most sensible option but for this example I am sticking to generic terms for the sake of security.

If you are using a pre-shared key then you enter it as clear test in the user pre-shared key box.

To add the gateway endpoints, click Add under the endpoints section at the bottom of the page:

in the above we can see that our local gateway is 10.10.10.10 which is the local IP address of the firebox in this example. This simply refers to the internal address that you are using to access your Firebox. The external interface can remain as 'external' which is selected from the drop down list. If you are using a VPN trunk between different endpoints to offer redundancy in your VPN then you can set-up various host identities here but for now we are sticking to the simplest configuration.

Next we set the external IP of the DrayTek. The static IP address has been set as 75.75.75.75 as the DrayTek 3300 we are connecting to lives on ethernet fibre and has a static IP. The identity has been left as the same as the DrayTek will automatically use it's external IP as it's identity so this keeps things simple.

Once you have entered these then press OK to return to the last page.

Once there, click on the Phase 1 Settings tab:

Above is the dialog for configuring the Phase 1 Settings. This is the first term of key exchange for your firewalls and we can see that the firebox already has various settings as a default. In this example most of these settings can be left as they and the actual important parts are the Mode and the Transform Settings at the bottom.  We can see that the mode is set to Main which is our preferred option in this example and so we will leave this be.

The Transform Settings need to be updated so select the phase1 transform and click edit.

You should see a box resembling the below:

In our example - as the DrayTek supports AES 256 Group 5  - we are going to select SHA1 as our authentication and AES 256-bit as our encryption and use an 8 hour SA life but please feel free to choose any other SA length as the above settings are too simple to guess. These settings must mirror the DrayTek though so please make a careful note of what you decide upon.

Once you have entered your chosen settings, close the tunnel dialog box, and then click OK on the remaining dialogs to return you the Policy Manager

Now select the Branch Office Tunnels item on the VPN menu:

You will see the New Tunnel Dialog:

Give your tunnel a name and associate with your gateway under the Gateway selector as above.

Click Add to choose the addresses associated with your new tunnel:

Choose your local network for the Firebox by either selecting it from the dropdown menu or by entering it manually. In this example the Firebox is on a 100.100.100.0/24 network:

Click OK to add your subnet and leave the other settings be as the defaults will suffice for this connection.

Click the Phase 2 Settings tab on the previous screen:

In our example our system is going to use perfect forward secrets  and so PFS can remain ticked. We are going to use Diffie-Hellman Group 5 and so select that from the drop down.

The ESP-AES-SHA1 option chosen is already correct but be sure to click edit and check that you have a record of the SA time-outs as they will need to match the DrayTek. Once you are satisfied you can click OK and create your tunnel:

Click close to complete creating the tunnel.

The firebox configuration is now complete so save the settings to your firebox when you are ready. Now we will consider the DrayTek 3300:

Log into your DrayTek 3300 as below:

Under the VPN menu select IPSec and then Policy Table:

Under the new IPSec VPN make sure your VPN is set to enable or always-on depending on how you wish your VPN to behave. In this example we will select enable which will come up as soon as you need it in most cases.

Give your VPN a name and replicate the pre-shared key from the Firebox.

ESP is your security protocol so no need to change this.

NAT Traversal should be enabled. If you are connecting two Windows networks then NetBIOS can be enabled for Windows management traffic and machine location - such as computer browser service and the like - to function fully.

The WAN interface I am using is WAN1 and so this remains the same and the DrayTek local LAN settings of 100.100.100.0/24 go into the local gateway settings. Leaving the other settings as default simply means that the DrayTek will use it's LAN and WAN settings as it's ID for the VPN which is fine in this example.

Under the remote gateway settings we add the external address of the Firebox and it's LAN address. This is the instruction to the DrayTek about encrypting traffic bound for a certain destination and what the traffic should be expecting when it arrives.

Once you have completed the above, click the advanced tab at the top of the page.

Now we configure the DrayTek phase 1 & 2 settings. On the Firebox we assigned an 8 hour AES 256-bit DH group 5 and so we complete the DrayTek in the same way as below:

Once again we choose 'main' as the mode and tick the Perfect Forward Secret box for PFS to be enabled.

Say OK and you will see that the VPN is now set.

You can monitor under  VPN IPsec Status and see the VPN comes up when you ping something on the other internal LAN:

The above shows the VPN has been picked up with the correct IP and LAN subnets ;)

 Buy DrayTek Vigor Routers Online