Computer Support The sircles IT support & solutions blog | VPN

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

iPhone IOS, iPad or Mac OSX to DrayTek Vigor 2860 or 3900 via VPN Connection

25. August 2017 07:19 by sirclesadmin in Hardware, Network Security, Troubleshooting, VPN
iPhone IOS, iPad or Mac OSX to DrayTek Vigor 2860 or 3900 via VPN Connection The newer Mac and IOS v

iPhone IOS, iPad or Mac OSX to DrayTek Vigor 2860 or 3900 via VPN Connection

The newer Mac and IOS versions no longer support the Microsoft PPTP versions and so connecting to your office or home has become more difficult unless you are using MAC OSX Server or similar. Here we are going to go over how to connect your IOS or OSX device to your DrayTek router so that you can use your local LAN or browse the internet as if you were back at home.

If you are looking for a service to connect you to the UK for internet browsing whilst abroad, please feel free to enquire about our UK VPN dial-in services.

First of all log in to your router control panel as normal, in this case we are looking at a 3900, but the 2860 is the same:



Firstly, we are using an L2TP over IPSec connection in this instance, so let's make sure that the services are being supported. Go to VPN and Remote Access and then Remote Access Control and make sure that the L2TP and IPSec services are enabled, as below:



Next we need to set-up the IPSec pre-shared secret. To do this we go to IPSec General Setup and enter the shared secret that all of the IPSec sial-in users will need to have:



In this example we are leaving the incoming internet port as WAN1 and the internal network DHCP profile as LAN1 but you should configure these as appropriate for your network.

Now if you are using the router's DHCP services then you can skip the next step but in this example the 3900 is part of a Windows server network and the servers provide DHCP and so we are going to configure the router to pass on the DHCP from the server as the users will need to access the server network remotely. To this end we go to PPP General Setup and click the L2TP tab at the top:


From the above I am selecting to enable DHCP and choosing the DHCP Server Location as LAN1 as it is in this case. I then enter the DHCP Server IP Address with the Windows Server providing the DHCP services. 


Go to User Management and then User Profiles and select Add:



Enter the details of the user and click the tick box to enable the VPN. Scroll down to the PPTP/L2TP/SSL section and enable L2TP Dial-in for this user and then click Apply:



Now you can set-up your IOS or OSX Apple clients:

Go to Settings then General and select VPN and Add new VPN configuration:



Change the VPN type to L2TP





Now enter the details you entered for the VPN user:




Once you have entered the details, click Done.

Now go back to the settings page, find the VPN option and click the slider on the right to start the VPN:



Once the VPN has connected you will be able to see the VPN icon at the top of your screen:




Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN The DrayTek Vigor router range are very straightforward

Juniper SSG5 to DrayTek Vigor 2860 IPSec VPN

The DrayTek Vigor router range are very straightforward routers with which to configure a VPN and only get really complicated to work on when dealing with multiple firewall rules that may conflict or override each other. The Junipers are highly configurable in a a very ordered manner, but this does mean that there are extra considerations and stages to configuration when programming a VPN.

The Juniper needs to be told to allow traffic through a VPN and also needs a tunnel and an endpoint configured and so let us deal with that first.

We are assuming that you already have access to the Juniper via the web browser and can reach the configuration screens.

Go to the Network menu and select Interfaces and List.

Now with the drop down top right, choose Tunnel IF and then click New.

Set the Zone to be Untrust (trust-vr)

Check the bubble for Unumbered as this is a route-based VPN

Choose the interface to be the internet facing interface with the IP address that you will be pointing the DrayTek Vigor VPN at.

Now click the Tunnel link at the right of the links at the top of your configuration panel.

Once again the destination will be left as as this is a route-based VPN and the Gateway we define in a minute will determine the endpoint for the VPN.

Now we have the tunnel configured we move on to configure the VPN:

Click Autokey IKE and then New:

Rather than configure a gateway in advance we will simply create one in this page. Click the bubble to Create a Simple Gateway and enter a name for the remote gateway. Leave IKE as ver.1 and choose Static IP and enter the Vigor WAN IP or hostname.

Now enter the pre-shared key which is a code that you will enter into the Vigor or share with the admin of the remote Vigor by some secure means. The Outgoing Interface will be the Juniper physical interface on which the WAN IP address resides to which you will be pointing the Vigor VPN.

Now click Advanced:

Here we are choosing the Phase 2 encryption proposal which is simply the encryption types - AES 256-bit in this case with DH Group 14 PFS (Perfect Forward Secrecy) and 3600 seconds time-out, but feel free to simply select a standard choice and simply make a note of the one you are choosing. Is it AES or 3DES or DES? What is the time-out, is it in seconds, minutes or hours? What is the PFS DH group? All of these should be noted as the Vigor must be configured to accept them.

Now enter the local and remote IP / Netmask where the local is the LAN address and teh subnet and the remote is the LAN which resides behind the Vigor which we are going to have remote access to once the VPN is established. In this case both subnets are set at /24 meaning Class-C subnets but you must obviously enter your own details for each network.

Set service to Any which will allow all traffic to pass between the sites via our VPN.

Tick VPN Monitor, Optimised and Rekey  and leave the destination as default whilst choosing the external interface to which you will point the Vigor as the Source Interface.

Now click Return and OK. Now move on to configure the policies. The Gateway settings below are just for reference.

Here are the configurations for the Gateway but these two pages have been configured already when we configured the VPN but they are included as reference if you need to troubleshoot your Gateway settings:


Now click Advanced:

Now we must configure the policies to allow traffic between the sites. Go to Policy then Policies and at the top select from Trusted to Untrusted and click New.

Give the policy a name and enter the local subnet in the source and the remote subnet in the destination address boxes.

Choose the service type as Any and click OK. There is no need to configure advanced options in this instance.

Now at the top of the policy screen, select from Untrusted to Trusted and New and configure the settings as above but with the Vigor remote LAN subnet as the source and the local Juniper subnet as the destination with the service set as Any.

This completes the Juniper set-up and we can now configure the DrayTek Vigor 2860.

 Log into the admin web page of the DrayTek and go to the VPN and Remote Access section on the right-hand side. Click on LAN to LAN and then click an empty profile so that you can begin to populate the necessary information:

Name the VPN, indicating where it is connecting your local subnet to.

Tick to enable the profile.

Choose which WAN port/interface the VPN will be established through.

We are allowing NetBIOS naming packets as this will be for a Windows computer network and we may wish to enable inter-site computer browser functioning etc.

Multicast via VPN we will leave disabled.

Set the direction to be Both so that either site can initiate the connection.

Set the VPN type to be IPSec and enter the WAN IP or hostname of the Juniper we are connecting to.

Populate the bubble for Pre-Shared Key and click the IKE Pre-Shared Key button. Here you must enter the same key you entered into the Juniper and click OK.

Below that, choose the bubble for High(ESP) and set the dropdown box to be AES with Authentication. Then click the Advanced button:

Here we are selecting Main mode as we did on the Juniper and out phase 1 proposal as AES256_SHA1_G14

Our phase two proposal is set as AES256_SHA1

Timeouts are once again 28800 seconds and 3600 seconds for phase one and two respectively and the Perfect Forward Secret (PFS) is enabled. Now click OK.

Moving down the VPN LAN to LAN page we come to the Dial-In setings:

Tick IPSec Tunnel as the VPN type and untick the others.

Tick the box to Specify Remote VPN Gateway and enter the Juniper WAN IP once more.

Tick the box for the Pre-Share Key and enter it as before by pressing the appropriate button.

Tick the AES button for the IPSec Security Method.

Leave section 4 blank here as we are not using GRE in this example.

Finally section 5 we enter the Vigor WAN IP in My WAN IP. The Juniper WAN IP in Remote Gateway IP.

The Juniper LAN subnet in Remote Network IP such as and the subnet mask below, in this case rather than /24.

The local network IP is the LAN subnet being the Vigor such as and the subnet for the Vigor below.

The RIP direction is set to both and the traversal method is set to Route.

Now click OK.

Go to VPN and Remote Access and Connection Management and see if the VPN is up:

DrayTek Vigor 2830 Dynamic IP to Vigor 3900

3. July 2017 16:11 by sirclesadmin in Hardware, Internet, Internet Security, VPN
DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN There are two main points to bear in mind whe

DrayTek Vigor 2830 Dynamic IP to 3900 Static IPSec VPN

There are two main points to bear in mind when configuring the dynamic IP address connections to a static Vigor. The first is that you need to configure the IPsec shared key in two places on the static host DrayTek Vigor VPN router. Firstly under IPSec General Set-up (which is the same place as you configure the IPSec key for L2TP) and then under the VPN Profiles (or LAN to LAN if it is an older model.)

Lets configure the DrayTek Vigor 3900 static IP host router first:

Go to IPSec General Setup:



Enter the IPSec shared key you are going to use for your VPN, or if you are already using that shared key for other connections, look up what you are using and make a not of it as we will need to enter that shared key again shortly.

Now go to VPN Profiles and we will configure the IPSec specifics for the host static end of the VPN. To continue, click Add to open a new profile window and choose an IPSec VPN. Leave the 'For remote dial-in user' selection at disabled.



So in the above we use the wan port that the external IP being targeted by the other VPN router.

The local IP/Subnet mask is the IP range used by the internal network of the 3900 with the static external IP. In this case we are using a class C subnet of 192.168.x.0

The local next hop is left as the default to use the wan1 default gateway (in the above we are using wan1 but as stated you must use the external IP that the 2830 is pointed towards)

The remote host remains at as the remote Vigor 2830 is on a static IP

The remote network mask is the internal IP LAN subnet of the 2830 with a dynamic WAN address - in this case we are using another 192.168.x.0 address



For the IKE phase 1 we will stick with Main Mode

The authentication type we will leave as PSK - Pre-Shared Key

The pre-shared key we entered earlier we enter again here...

The security protocol we are choosing is encrypted and so we select ESP

Now we move onto the Advanced tab:



We are sticking with the default time-outs for DrayTek Routers.

We are selecting Perfect Forward Secrecy to be enabled (PFS)

Dead peer detection can be enabled to allow for VPNs to be picked up again quickly after a brief connectivity issue.

Route/NAT mode should be: Route

Apply NAT policy should be: Disable

NetBIOS naming packets in this case I am selecting: Enable as this will allow ICMP traffic for Windows client/server communications to behave as if on the same network. 

Multicast via VPN we will leave: Disabled



RIP via VPN we will leave: Disabled to simplify getting the VPN up and running - you may wish to enable this at each end afterwards for router discovery.

Now we proceed to the Proposal Tab as we are not enabling GRE in this example:



Now we configure the encryption methods:

We are using AES G5 (Group 5) and AES with authentication as above and leaving the other options as accept all to bring the VPN up reliably and quickly.

To enable compatibility with the 2830 we are sticking to Group 5 but if you are using a 2860 you can use Group 14 (G14) instead as long as you match both ends.

Once all of this has been entered we can click Apply and await the router to confirm that it has accepted our VPN details...


Now we configure the 2830

In this example we are going to stick with using the LAN to LAN or VPN profiles tab as not all models have the VPN client and server wizard options, but either method will work as long as you get all of the encryption, LAN and endpoint data correct:

Below we have already gone to VPN>LAN to LAN and clicked on a profile number to start entering the data:



Give your profile a name and tick the box to enable it.

On this router we are using WAN 2 as it is behind another router (and yes it will still work with or without passthru as this is a dial out only configuration from the dynamic end. There is no point trying to dial back to a router you do not know the WAN IP address of.)

We are selecting the VPN type as Dial-Out only. If you wish the VPN to allow for full time connection so that you can access the remote computers then be sure to tick 'Always On' and Enable Ping to Keep Alive and use the IP address of the remote router LAN port on the other internal network (in this case the LAN port IP of the Vigor 3900.) This will basically make the VPN permanent allowing you to easily administer the computers at the dynamic WAN IP site where the 2830 is located.

Once again we are enabling the NetBIOS packets tick box.

Multicast via VPN is disabled again.

We enter the Vigor 3900 WAN IP/Host name in the server IP/Host Name box.

Click the IKE Pre-Shared and enter the same Pre-Shared key as before and click OK



Leave the dial in boxes empty as nothing can dial into a dynamic WAN router.

Do not specify the other end of the VPN as it is a dynamic IP address.

Leave the IKE authentication box as it is as there is no dial in IKE

My WAN IP should remain

The remote VPN gateway is the WAN IP of the 3900 static IP router

The remote Network IP is the subnet of the remote 3900 static IP router, in this case 192.168.x.0 and the remote network mask is a class C of in this case which is the LAN subnet of the 3900

The Local Network IP is the LAN subnet of the router you are configuring and the subnet is once again a class C of

We are leaving RIP as disabled and Route as the method of traversal between subnets.

Now we can click OK and go to the VPN connection management page to see how our VPN is getting on:



On the 2830 the HQ VPN has come up and will stay up as we have configured 'always on' and 'ping to remote IP' meaning that when the IP changes at the 2830 WAN it will pickup and stay up allowing us to configure the remote router and PCs securely if we wish.

Now on the 3900 status we see:



Where the VPN is showing happily at the other end also proving that the VPN is encrypting data and sending and receiving successfully.

Buy the DrayTek Vigor 2860

Buy the DrayTek Vigor 3900

VPNs with WIndows Active Directory and DNS/DHCP

2. June 2017 09:17 by sirclesadmin in Windows Server, Internet Security, VPN
Windows Active Directory, DNS & DHCP with VPNs When a VPN is set-up it is simply a connection be

Windows Active Directory, DNS & DHCP with VPNs

When a VPN is set-up it is simply a connection between LAN subnets that allows certain traffic to be passed between them. If you are using a Windows Server Active Directory network then you need to make sure that you are adjusting your settings to maintain normal traffic and avoid any catastrophes like loopback etc.

Even some of the most down-to-Earth routers can trip you up with DNS and AD when it comes to VPN. DrayTek routers can connect two subnets with the same LAN Subnet but if the Windows servers start inter-communicating it can cause all sorts of issues at Layer-2 and 3. I would always recommend changing one subnet (or even both if they are x.x.1.x or x.x.0.x) rather than using route NATing between subnets.

Before you connect a VPN you should be treating the planning exactly as if you were running a cable between the two sites you plan to connect. Although a VPN arrives via a WAN connection, it is not necessarily subject to the same rules as the internet in  the case of DrayTek routers unless you specifically tell the firewall to block certain services. If you are using a highly configurable router such as a Cisco or Juniper then you can configure all sorts of setting on the firewall specifically for that subnet, but if you are using a simpler router such as a home WiFi router or similar, then you will find that a VPN connection forwards most of the traffic between sites including all types of ICMP & NetBIOS. As a result you must be sure that nothing is allowed to connect to the other LAN that you would not wish to be connected to the existing LAN.

Active Directory is heavily dependent on DNS to locate the resources it requires in order to function and so, regardless of what is behind each VPN endpoint, DNS is a primary concern. If you are connecting an office of PCs to a LAN with servers, you need to configure the remote LAN VPN top use at least one of the remote DNS LAN servers in order to be able to resolve hostnames on the remote LAN. We would not recommend setting both DNS servers to the remote LAN DNS servers in case the VPN drops, but the first server DNS server entry should be set to one.


In the above image, the remote network, has only client machines, but uses the remote network for multiple hosts. The client machines therefore need the remote LAN DNS server set as their primary DNS server and their local router set as their secondary. This way the client machines on the remote router network are able to find the email server and databases but if the VPN drops they can still connect to the secondary server to browse the web from the local router.


In more complex configurations, there may be servers at each end of the VPN tunnel, and there may be domain trusts involved due to companies merging etc. In these cases the DNS servers need to be configured to share their network zones amongst each other. This is a very simple process but you will need the LAN IP addresses of all of the DNS servers before you start. Best practices suggest that you allow only the IPs of known DNS server to access the zone data from your DNS and this can be configured from the DNS server admin on each Windows DNS server. Once you have given permission for each server to access the DNS servers at the opposite end of the DNS tunnel, the clients of each interconnected LAN will be able to locate hosts at either end. If there is a Windows Trust in place then the client machines of each LAN will be able to access assigned documents and resources on the servers at the other office without any need for internet facing servers on either LAN.


DrayTek Vigor 2860 to 3900 IPSec VPN

18. May 2017 10:47 by sirclesadmin in Hardware, Internet, Internet Security, VPN
DrayTek Vigor 2860 to 3900 IPSec VPN Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet

DrayTek Vigor 2860 to 3900 IPSec VPN


This example is useful when connecting a VDSL/FTTC satellite office (with a Vigor 2862/2860) to a Dedicated Ethernet Fibre (Vigor 2960/3900) Hub Office with a secure IPSec VPN. Both offices have a static IP in this example and are available for us to configure at the same time...

Firstly we shall configure the hub Vigor 3900 router at the hub office endpoint for the satellite office to connect to.

Firstly login as normal to see the home screen:



Now go to VPN and Remote Access and choose VPN Server Wizard and select IPSec as your VPN type:



Click to select creating a new VPN profile, choose a name - I have called this one HubOffice -  and click next:



Now we are going to enter the VPN specific information to allow our satellite office to connect:

  • Tick the Enable box to enable the VPN
  • Choose the WAN port you are using for the internet connection that will carry the VPN and for which we will be using the external IP address of
  • Enter the local subnet - this is not provided automatically so enter your local subnet that the satellite office is being provided access to - this may well be the subnet you are using
  • Leave the next hop as
  • The remote host is the external WAN IP of the satellite office Vigor 2860
  • The remote host IP/subnet mask is the internal LAN subnet of the Vigor 2860 LAN
  • If there are any other subnets hung of the back of the Satellite office - if it is a hub in itself - then you can add the extra subnets here but this can often be a hinderence in getting the VPN to come up so we shall leave it blank for now.
  • Auth type is PSK for passphrase/shared secret that we will enter momentarily
  • Pre-shared key - enter a long string that you have made a note of, as it is to be entered in the 2860 router later
  • Security protocol - leave at ESP
  • We are leaving the DPD delay and timeout boxes as default

Click finish to complete the setup...

You will be asked if you wish to proceed to the VPN status page and that is what we shall do:



Now we shall proceed to configure the 2860 which has a pretty much identical interface:



We won't use the VPN Client Wizard so that you can see all of the steps, we will configure the VP manually, click VPN and Remote Access > LAN to LAN:



then select a number corresponding to the profile you wish to configure:




  • First tick the Enable box to enable the profile
  • Give the profile a name
  • Choose the WAN1 interface for the VDSL interface if that is what you are using for the VPN external WAN IP address
  • Click the pass NetBIOS box to allow ICMP traffic between the offices
  • Leave Multicast blocked
  • To the right of that leave the call direction as Both
  • Below to the left select IPSec as the VPN type
  • Below that, enter the IP address or A record host name of the hub office Vigor 3900 WAN
  • To the right, click on the IKE Pre-Shared Key button and enter the key as you entered it into the DrayTek Vigor 3900:

  • Now below that enter the IPsec method as High(ESP) AES with Authentication, then click the advanced button
  • Click the option to enable PFS - perfect forward secrecy



  • Leave the other timeouts as they are and click OK
  • Tick the box Specify Remote VPN Gateway and enter the 3900 WAN IP address
  • Leave the GRE settings as blank and proceed to the bottom section 5.



Now you should be able to go to the connection status on either router and see that the connection is live and be able to ping the other office from each respectively...

Buy the DrayTek Vigor 2860

Buy the DrayTek Vigor 3900

DrayTek Vigor 2830 to DrayTek Vigor 3300/3300V IPSec VPN

DrayTek Vigor 2830 to 3300/V/+ router IPSec VPN This example is for an environment with a static IP

DrayTek Vigor 2830/2860 to 3300/V/+ router IPSec VPN

This example is for an environment with a static IP at each office.

Firstly let us set-up the 3300 head office router:

After logging in, go to the VPN menu, then to IPSec and then to 'Policy Table'


In this example we are going to use AES encryption with authentication for the maximum security available.

Firstly we enable the profile.


We name the profile something that explains the VPN and then we choose preshared key, which in this example is our preferred security key. Our security protocol will be ESP and we choose NAT Traversal to be enabled. In this example I am not enabling NetBIOS but if you are adding a VPN to extend a Windows domain then you should choose Pass here.

As we are connecting to another DrayTek device we are not going to change the default time-outs but if you do, they must be mirrored at the other end to enable the VPN. We will change the security settings though as we wish to ensure AES256-sha1 encryption and authentication.

We are ticking the PFS Perfect Forward Secrecy box also:


Now we can click Apply and configure the DrayTek Vigor 2830/2860...

Under the VPN menu, go to Lan to LAN to set-up your connection to the DrayTek 3300

Click the number corresponding to the first available unused profile...

Now we are going to enter the details required to connect to the 3300 router:


We are once again giving it a name relevant to the connection. In this case we are connecting through WAN2 but you can choose WAN1 if you are using ADSL/VDSL

NetBIOS should be enabled/disabled depending on whether you are allowing file access to Windows machines across the VPN. In most cases with Windows machines you would pass NetBIOS packets.

The call direction is set to Both to allow either end to start the VPN.

Under Dial-Out settings we set the VPN type to IPSec once again.

We enter the domain name/ip address of the external interface of the other 3300 router in the box below.

We now tick the Pre-Share Key box to the right and click the Pre-Shared Key button to enter the same key as we entered into the 3300 Pre-Shared Key box.

Below that we select the High(ESP) option and choose AES with Authentication as we did on the 3300

Now click the Advanced Box:


We are mirroring the settings from the 3300 here so we choose the AES256-SHA1_G5 for phase one and AES-256 for the phase two proposal.

Once again we select the Perfect Forward Secret option and the timeouts are already consistent.

Click OK when done.

Now under IPSec security method, tick only the AES box and then enter the IP address details at the bottom of the page:


We enter the external IP of the 2860/2830 first in the My WAN IP box.

Enter the remote 3300 router external interface address in Remote Gateway IP addres box.

Then enter the remote DrayTek 3300 internal network subnet details in the two boxes below that.

Finally enter the DrayTek 2860/2830 local network subnet details in the two boxes below that.

Click OK when done.

Now under VPN and Remote Access on the 2860/2830 you should see the connection as live:



Buy DrayTek routers here 



DrayTek 2830/2830v2 VPN from Satellite Office with Dynamic IP

4. April 2017 06:54 by sirclesadmin in VPN
DrayTek 2860 - 2860 VPN In this example we are looking at setting up a router for connecting a group

DrayTek Vigor 2830v2 - 2830 VPN with Dynamic IP v4 Address

In this example we are looking at setting up a router for connecting a group of computers to a head office that may be behind another router or in a shared environment, often with a dynamic IP. In this example there is a Linksys router in front of the DrayTek at the satellite office over which we have no control. As a result we are setting the satellite office DrayTek Vigor 2860 to be a Dial-out only router and the head office Draytek 2860 to be receiving dial in only.

Firstly we log into the head office router to set up the incoming VPN settings...

This router is on an ethernet circuit at head office - the WAN2 connection of this DrayTek handles synchronous 50 MB quite happily. Let's continue to the VPN section..

So we configure the system as dial-in and the VPN type to IPSec 

we are not calling any device, only awaiting one to call us so we will leave the dial-out section unaltered with no hostname or IP address in the server box.

Now for the dial-in section. In here we must specify the details for accepting the VPN details from the satellite DrayTek:

Once again we select IPSec as the VPN type. We do not add a username or password for IPSec. We will also leave the Peer ID blank.

We also leave section 4 - the GRE section - as default.


 Here are the important settings for the LAN-LAN dynamic VPN - we must add our WAN IP which for the office is the routers IP on the ethernet network. You can see this on the original status page (example at the top of this post) as your routers WAN IP address.

Thre remote gateway IP stays as as it will be changin in this case.

The remote network IP is the internal LAN subnet address - in this case a 192.168.x.0/24 address and so the subnet is for a class C subnet.

The local network IP is the LAN subnet of the local LAN at head office. Again another 192.168.x.0/24 address - you must have configured the LAN on each router as a different range for successful routing. The local network mask is again

Note the RIP settings are set to Tx/Rx and that we must Route to access the other side - this is important and must be set to Route not NAT

Finally we must set the Pre-Shared secret, which for a dynamic VPN we set under the IPSec general settings here:

In this example we are using AES encryption and so we have ticked only that box.

Setting the Satellite VPN DrayTek Vigor

Once again we log into the DrayTek Vigor:

We head to the VPN section and the first available LAN-LAN profile:

This time the router is set only to dial-out and we once again set the VPN type as IPSec and this time we are entering a PING to keep alive on the internal IP subnet of the remote LAN - in this cas the router LAN address. This will enable us to keep the connection live and so allow for us to remotely administer machines etc. on that remote network. We have also ticked the 'Always On' box to help ensure this.

In our case the head office router has a URL we can add to point this router at the VPN endpoint but you may be using an IP address. Either way the external address of the head-office router you are connecting to goes there. You must also click the Pre-Shared Key button and enter the same shred secret as you entered in the IPSec General section on the Head office router. There is no need to use that section on this router.

We are once again choosing AES with authentication as our VPN encryption to match the remote router. I have left the Phase1 & 2 settings as default in this example as the shared secret is your security in this example and so I have elected not to change time-outs etc.

Now we are completing the IP settings, but for the opposite end of the VPN. Now our WAN IP is unknown and so it is left as the default, but the remote gateway is the same as the IP we entered earlier or is the IP address of the receiving routers WAN. The remote network IP is the LAN subnet of the other router and the local network IP is the local subnet, with the corresponsing masks as before.

We keep the same settings for RIP direction and Routing for access.

Now we have completed all of the settings required for a dynamic to static DrayTek VPN and so we can look at the VPN connection management tab just below where we are now:

Encryption and Security

8. January 2017 12:15 by sirclesadmin in Internet, Internet Security, VPN
Encryption and Security So what is a VPN and is it useful to me? What is encryption and how does it

Encryption and Security


So what is a VPN and is it useful to me? What is encryption and how does it work? Mystified? Well have a read on for some simple (ish) explanations of some of the more common security terms. A VPN is exactly what is being described. It is a virtually private network. In other words it is information that is sent between two parties who have a shared pre-requisite of knowledge that allows them to decode each others messages. This is referred to as a tunnel because no one on the outside of our pre-shared information can see what is within because the information is encrypted and authenticated, that is each party can be sure of the identity of the sender and that no one was able to understand or change the information since being sent.

A type of tunnelling is in evidence every time you purchase something online or log in to an account with a website such as eBay, and this is called public/private key encryption. In the case of eBay they do not know if the computer you are using is who it says it is - it has no certificate to authenticate with-. The only important thing is that your computer believes eBay are who they say they are and your computer verifies this because eBay use a certificate that is issued by a Certification Authority that Microsoft or Macintosh have verified as authentic, and so your computer trusts the certificate and encrypts the information using the private key included in it. eBay trust you because once the encrypted tunnel between you and eBay is working, they ask you for your password, which is sent as encrypted traffic using the authenticated certificate eBay supplied. This form of encryption is typically used by the Secure Sockets Layer or its successor TLS - Transport Layer Security.

In a VPN, both parties must know who the other is and this is usually achieved with a shared secret combined with a hash algorithm known as a keyed hash algorithm. A hash algorithm takes a message of any length and returns a fixed length hash which is very difficult to fake because it is very very infeasible that you could find two messages that would give the same result. The two parties add an incrementing number to transmissions so that someone trying to decode and fake messages will not be verified as they will not be including the incrementing number in subsequent messages. Once authenticated, further communication is made using symmetric ciphers which rely on encrypting information using a pre-shared secret. The disadvantages being that this means that the two parties must have previously exchanged secure information and that the secret must be constantly changed to prevent the encryption being compromised.

The main thing to bear in mind is that it is all the same. Sure there are different methods of encryption and different methods of authentication, but as long as both are ensured to a sensible level we are more or less talking about the same thing. In the main the difference between VPN and normal use of TLS or SSL communications is tied to the factor of Authentication. VPNs require valid hosts at both or all ends.

How does any of it work though? Lets take a look at Public Key Encryption. SSL and its successor TLS both use Public Key Encryption as does the new IP versions IPV6 which uses IPSEC - Internet Protocol Security to encode all traffic. I must take this opportunity now to warn you now that none of this is necessary knowledge to put a working VPN system in place so don't come back complaining it wasn't in your Microsoft exam.

I want to tell my friend Marc how many apples I have collected from the orchards where we work but I do not want Rob or his competitive friends to know so that they do not deliberately stay longer so as to collect just a few more. I therefore devise a simple coding in advance with Marc that I will give a sign when I am about to say my collected number of apples and that amount will be 'encoded.' For instance I might give a sign to Marc by climbing onto my bike and ringing the bell - a sign that can easily be mistaken by Rob and his friends as we are about to head off home anyway - and then Marc will know that the amount I say will be multiplied by five. Five in this example is sufficient because Rob and his friends will have to spend so long collecting apples to compete that they will give up virtually before they start and still have no real idea how many apples I may have collected. This amount is 'encoded' (in this example by private encryption) because both of us know my private key - that the amount is multiplied by 5 -.

So what we are in effect creating is a private key tunnel. A way of communicating securely as long as we have a secure way of exchanging our private key and we can recognise each other and our own pre-agreed method of encryption - i.e. we can successfully Authenticate and Encrypt. But what if matters were different. What if Marc and I were separated and had no secure means of exchanging our private keys. Well, a method which allows us to achieve this is a relatively simple mathematical function but it is fairly slow to encrypt. It is referred to as Public Key Encryption and was developed at GCHQ in Britain by three men called James Ellis, Clifford Cocks and Malcolm J. Williamson. James Ellis had come up with the idea of Public Key Encryption but had not conceived how to implement it. Clifford Cocks - who was also working at GCHQ - heard of the idea and was intrigued and went home and literally thought up the system in less than half an hour. Cock's system did however work with a specific value for the public exponent (see below) and in 1974 Malcolm J. Williamson proposed using a general public exponent. The system is known as the Diffie-Hellman key exchange because of one very important reason. GCHQ is the British equivalent of the NSA and is responsible for the encryption of secret messages on behalf of the MOD (Ministry of Defence) and also the decoding of any suspicious messages intercepted in the UK. The fact that this method had existed - at least in secret - since the early 1970s was not discovered until 1997 when Cocks was allowed to divulge the information relating to a technology which GCHQ had never found much use for. It was, however, of no consequence by this time as in 1976-7, Ronald Rivest, Adi Shamir and Leonard Adleman discovered and published the same system and soon a real use for the functionality would make RSA one of the most commonly-found pieces of software on the planet. It should be noted that the Military are not so interested in Public Key Cryptography, usually because a pre-shared code can be easily exchanged and the early computers at the time of invention could not perform the math.

So how does it work, how can there be a secure way of knowing that I am really talking to who they say they are and also knowing that no one else will know what we are saying? Firstly, it is not true to say that no one can know what we are saying, just that if we encrypt our messages with sufficiently large values for our formulae that the chance of knowing a single exchange before long after we have stopped talking is very slender.

The system works by the two parties choosing a prime number and a base to create a one way trap door effect. Let us go back to the orchard to see how myself and Marc can use these numbers now we are trying to communicate the totals of apples harvested that working day by email and are wary of Rob and his cohorts reading our clear-text emails. We must therefore exchange some kind of code that we will both know but that is not derivable from our exchanges.

Marc and I are going to choose prime number 11 as our prime so p=11, and our base as 3 so q=3

I am encoding my number of apples harvested for that day, and so I decide upon a secret integer to multiply again just as before and this time I choose S=9, so I encrypt the number as follows. I send Marc our base number qs mod p (q=3 so 3 to the power 9 and mod simply means the remainder left after you divide by, so 39 divided by 11 so 39=19683/11 = 1789.3636 recurring so we remove the integer to be left with 0.3636 recurring and re multiply by 11) which gives us our remainder as 4.

Marc chooses a secret integer too, M=8, and then sends me qm mod p or 38 mod 11 = 5

I compute (qm mod p)s mod p = 59 mod 11 =9

Marc computes (qs mod p)m mod p = 48 mod 11=9

We have both derived the same value because qsm and qms are equal, and bear in mind that m, s, qsm, and qms are the only values transmitted publicly, all of the other values are kept entirely private. Once this exchange has taken place we have arrived at a number (please bear in mind it only turned out to be the number Simon chose by chance and would normally be a number unknown by either party until the calculation was carried out) we can use this number to encrypt our apple harvest. As long as we use sufficiently large values for our secret and prime numbers - i.e. our prime was over 300 figures and our secret numbers for Simon and Marc over 100 figures, it would take even the most efficient algorithms known to humankind more than the lifetime of the universe to crack our system. Our new number derived from performing the above with properly large values becomes Marc and Mines Secret Shared Key and may be used to encrypt future messages.

In reality there are more factors that must be taken into account to verify Authentication so as to make sure that I am talking to Marc and not someone impersonating him, which incorporates assigned certificates and certificate authorities just as those that you use every time your browser tells you that you are entering a secure zone and the http:// at the front of the web address url you are visiting is replaced by https://. This is the most typical use of SSL or TLS - to secure web pages.

A Note on the Truth

There are other variants of encryption used with communicating across the Internet to form VPNs such as Block Ciphers like 3DES and AES/Rijndael which are very commonly used in tunnelling often in partnership with hash algorithms like SHA1 or MD5. In truth it is some or all of these security measures acting together that represents most modern VPN tunnelling systems used in equipment like the Checkpoint NG, Windows Server or Cisco PIX. 3DES is still typically the cipher even though it is 56 bit DES performed 3 times and SHA1 is used as a hash algorithm for authentication. Both of these technologies are being superseded by AES/Rijndael and SHA2.

DrayTek 2830 / 2830v2 to Watchguard Firebox XTM 26 11.7 IPSec VPN

10. March 2016 08:02 by sirclesadmin in Internet Security, VPN
Watchguard XTM26 to DraytTek Vigor 2930 IPSec VPN Firstly let's set-up the Watchguard XTM Firebox: I

Watchguard XTM26 to DrayTek Vigor 2830 / 2830v2 IPSec VPN

Firstly let's set-up the Watchguard XTM Firebox:

In  this example I am going to use the software management system rather than the browser but either will suffice if you stick to the correct encryption and key properties.

Start your policy manager by logging into your Firewall and selecting Policy Manager. Then click on the Branch Office Gateways option from the menu so that you are presented with the following:

Watchguard Gateways Dialogue Box

Click the 'add' button to open the Gateways properties box to enter the details:

Watchguard Firebox new Gateway Dialog

In the above example we are using a shared key. Once entered (this must be identical to the shared key we are to enter in the DrayTek) click the 'add' button bottom right to enter the gateway endpoint:

Watchguard Firebox New Gateway Endpoints Dialog

In this example the external IP of the Watchguard is and the DrayTek is so we enter the relevant IPs and choose the external interface that we are using on the Firebox (the interface with the external IP we are entering in this box for the Firebox)

Say OK to close this dialog box

When back to the last box, click on the Phase 1 tab at the top to see the below where we configure the Phase 1 settings for our encryption:

Watchguard Firebox New Gateway Dialog 3DES Group 2

We shall tick the boxes for IKE keep alive and dead peer detection and then click 'Edit' at the bottom to edit the encryption choices:

Watchguard Firebox Phase One Transform Dialog

I am using the American Encryption Standard on an 8 hour time out but feel free to choose anything you like as long as you take note to make sure it is the same on the DrayTek.

Click OK to close the box and OK again to return us back to the Policy Manager screen

Once back to the Policy Admin screen click on the VPN menu and choose Branch Office Tunnels:

Watchguard Firebox Branch Office IPSec Tunnels Dialog

Click the 'add' button to create the IPSec tunnel:

Watchguard Firebox New Tunnel Address Dialog

Click the 'add' button to configure the tunnel:

Watchguard Tunnel Route Settings Dialog

Here we are adding the internal IPs for the local and remote domains. In this example we are using 192.168.x.x subnets and so we enter the local Firebox subnet and the remote DrayTek subnet with the /24 Class C subnet. Click OK to close.

Now choose the Phase 2 tab at the top of the last screen:

Watchguard New Tunnel Phase Two Settings Dialog

Tick the PFS (Perfect forward Secret) box and choose Group 5 as this is what we configure on the DrayTek.

In the above I have not altered the ESP-AES-SHA1 IPSec proposal as it is the one I wish to use but you may add a custom one if you choose.

Click OK to return to the other screen

Click close on the tunnel screen to return to policy manager and save the settings to the Firebox.

Now we will configure the DrayTek 2830 / 2830v2:

Log in to the web interface to begin:

DrayTek 2830 System Status Screen

Under the VPN section on the left, click on the LAN to LAN settings option:

DrayTek 2830 LAN to LAN VPN Screen

Click on the 1 hyperlink to open the LAN-to-LAN dialog:

DrayTek Vigor 2830 New LAN to LAN VPN

In the above I have ticked the enable box, ticked the always on box and chosen to accept NetBIOS traffic as it will be a Windows network. You will also need to click on the IKE Pre-shared key and enter the same key you entered into the Firebox. Now choose AES with authentication under IPSec and click on the 'advanced' button:

DrayTek Vigor IKE Advanced Settings

Choose the above options noting that we are matching the settings on the Firebox with an 8 hour timeout (28800 seconds) with AES 256 bit encryption VPN

DrayTek Vigor 2830 LAN VPN Advanced Settings

Choose IPSec as your tunnel type as you did on the top half of the screen and tick the 'specify remote VPN gateway' as in this case our Watchguard has a static address. We add the static address of the Watchguard WAN.

Also click the IKE pre-shared key button and enter the key again. Now enter the local and remote WAN and LAN

Once all the values have been entered you can say OK and the always on VPN should pickup immediately:

DrayTek Vigor LAN to LAN Status Up

The VPN comes up as an AES 256-bit tunnel and we can see if we ping from the Watchguard side of the VPN:

Successful VPN Ping from Watchguard

And on the system manager:

Watchguard Firebox VPN Status Up and Connected

Watchguard XTM26 to DraytTek Vigor 2830 IPSec VPN


Buy DrayTek Vigor VPN routers here


Sonicwall NSA-250M Set-up and IPSec VPN Connection to DrayTek Vigor 3900

Cisco RVS4000 DrayTek Vigor 3900 VPN IPSec

DrayTek 3300 to Watchguard Firebox 10.2 Core X VPN

To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you sho

DrayTek 3300 to Watchguard Firebox 10.2 Core X VPN

To configure the Firebox we are using the 10.2 manager but the 11 series are very similar so you should be able to find your way round from these instructions. These instructions are based on using the configuration software rather than the web page as this example is an X550e system that does not support the web interface.

Firstly you will need to login to your Firebox using the username and start your policy manager.

From the VPN menu at the top, select Branch Office Gateways as below:


Watchguard Firebox Policy Table


You will be presented with the BOVPN gateways box:


Watchguard Firebox Gateways Dialogue


Click add and fill in your details which are discussed below:


Watchguard Firebox New Gateway Dialogue


Firstly give your gateway a name at the top of the page - I usually find that the location of the gateway is the most sensible option but for this example I am sticking to generic terms for the sake of security.

If you are using a pre-shared key then you enter it as clear test in the user pre-shared key box.

To add the gateway endpoints, click Add under the endpoints section at the bottom of the page:


New Gateway Endpoints Setting


in the above we can see that our local gateway is which is the local IP address of the firebox in this example. This simply refers to the internal address that you are using to access your Firebox. The external interface can remain as 'external' which is selected from the drop down list. If you are using a VPN trunk between different endpoints to offer redundancy in your VPN then you can set-up various host identities here but for now we are sticking to the simplest configuration.

Next we set the external IP of the DrayTek. The static IP address has been set as as the DrayTek 3300 we are connecting to lives on ethernet fibre and has a static IP. The identity has been left as the same as the DrayTek will automatically use it's external IP as it's identity so this keeps things simple.

Once you have entered these then press OK to return to the last page.

Once there, click on the Phase 1 Settings tab:


Watchguard Firebox New Gateway Dialogue


Above is the dialog for configuring the Phase 1 Settings. This is the first term of key exchange for your firewalls and we can see that the firebox already has various settings as a default. In this example most of these settings can be left as they and the actual important parts are the Mode and the Transform Settings at the bottom.  We can see that the mode is set to Main which is our preferred option in this example and so we will leave this be.

The Transform Settings need to be updated so select the phase1 transform and click edit.

You should see a box resembling the below:


Watchguard Firebox Phase 1 Transform


In our example - as the DrayTek supports AES 256 Group 5  - we are going to select SHA1 as our authentication and AES 256-bit as our encryption and use an 8 hour SA life but please feel free to choose any other SA length as the above settings are too simple to guess. These settings must mirror the DrayTek though so please make a careful note of what you decide upon.

Once you have entered your chosen settings, close the tunnel dialog box, and then click OK on the remaining dialogs to return you the Policy Manager

Now select the Branch Office Tunnels item on the VPN menu:


Watchguard Firebox Policy Table


You will see the New Tunnel Dialog:


Watchguard Firebox New Tunnel Dialogue


Give your tunnel a name and associate with your gateway under the Gateway selector as above.

Click Add to choose the addresses associated with your new tunnel:


Watchguard Firebox Tunnel Route Settings


Choose your local network for the Firebox by either selecting it from the dropdown menu or by entering it manually. In this example the Firebox is on a network:


Watchguard VPN Add Address Config


Click OK to add your subnet and leave the other settings be as the defaults will suffice for this connection.

Click the Phase 2 Settings tab on the previous screen:


Watchguard Firebox New Tunnel Dialogue


In our example our system is going to use perfect forward secrets  and so PFS can remain ticked. We are going to use Diffie-Hellman Group 5 and so select that from the drop down.

The ESP-AES-SHA1 option chosen is already correct but be sure to click edit and check that you have a record of the SA time-outs as they will need to match the DrayTek. Once you are satisfied you can click OK and create your tunnel:


Branch Office IPSec Tunnels


Click close to complete creating the tunnel.

The firebox configuration is now complete so save the settings to your firebox when you are ready. Now we will consider the DrayTek 3300:

Log into your DrayTek 3300 as below:


DrayTek 3300v System Status


Under the VPN menu select IPSec and then Policy Table:


VPN IPSec Policy Table Menu


Under the new IPSec VPN make sure your VPN is set to enable or always-on depending on how you wish your VPN to behave. In this example we will select enable which will come up as soon as you need it in most cases.

Give your VPN a name and replicate the pre-shared key from the Firebox.

ESP is your security protocol so no need to change this.

NAT Traversal should be enabled. If you are connecting two Windows networks then NetBIOS can be enabled for Windows management traffic and machine location - such as computer browser service and the like - to function fully.

The WAN interface I am using is WAN1 and so this remains the same and the DrayTek local LAN settings of go into the local gateway settings. Leaving the other settings as default simply means that the DrayTek will use it's LAN and WAN settings as it's ID for the VPN which is fine in this example.


DrayTek 3300v IPSec VPN Tunnel Settings


Under the remote gateway settings we add the external address of the Firebox and it's LAN address. This is the instruction to the DrayTek about encrypting traffic bound for a certain destination and what the traffic should be expecting when it arrives.

Once you have completed the above, click the advanced tab at the top of the page.

Now we configure the DrayTek phase 1 & 2 settings. On the Firebox we assigned an 8 hour AES 256-bit DH group 5 and so we complete the DrayTek in the same way as below:


DrayTek 3300v IPSec VPN Advanced Settings


Once again we choose 'main' as the mode and tick the Perfect Forward Secret box for PFS to be enabled.

Say OK and you will see that the VPN is now set.

You can monitor under  VPN IPsec Status and see the VPN comes up when you ping something on the other internal LAN:


DrayTek 3300v Ipsec VPN Status

The above shows the VPN has been picked up with the correct IP and LAN subnets ;)

 Buy DrayTek Vigor Routers Online