sircles.net Computer Support The sircles IT support & solutions blog | DrayTek Vigor 2860 to 3900 IPSec VPN

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog SEO, Copy Writing, Networking and Internet Safety & Security

DrayTek Vigor 2860 to 3900 IPSec VPN

18. May 2017 10:47 by sirclesadmin in Hardware, Internet, Internet Security, VPN
DrayTek Vigor 2860 to 3900 IPSec VPN Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet

DrayTek Vigor 2860 to 3900 IPSec VPN

Connecting a VDSL/FTTC satellite office to a Dedicated Ethernet Fibre Hub Office with DrayTek IPSec. Both offices have a static IP in this example.

Firstly we shall configure the hub Vigor 3900 endpoint. Login as normal to see the home screen:

 

 

Now go to VPN and Remote Access and choose VPN Server Wizard and select IPSec as your VPN type:

 

 

Click to select creating a new VPN profile, choose a name - I have called this one HubOffice -  and click next:

 

 

Now we are going to enter the VPN specific information to allow our satellite office to connect:

  • Tick the Enable box to enable the VPN
  • Choose the WAN port you are using for the internet connection that will carry the VPN and for which we will be using the external IP address of
  • Enter the local subnet - this is not provided automatically so enter your local subnet that the satellite office is being provided access to - this may well be the subnet you are using
  • Leave the next hop as 0.0.0.0
  • The remote host is the external WAN IP of the satellite office Vigor 2860
  • The remote host IP/subnet mask is the internal LAN subnet of the Vigor 2860 LAN
  • If there are any other subnets hung of the back of the Satellite office - if it is a hub in itself - then you can add the extra subnets here but this can often be a hinderence in getting the VPN to come up so we shall leave it blank for now.
  • Auth type is PSK for passphrase/shared secret that we will enter momentarily
  • Pre-shared key - enter a long string that you have made a note of, as it is to be entered in the 2860 router later
  • Security protocol - leave at ESP
  • We are leaving the DPD delay and timeout boxes as default

Click finish to complete the setup...

You will be asked if you wish to proceed to the VPN status page and that is what we shall do:

 

 

Now we shall proceed to configure the 2860 which has a pretty much identical interface:

 

 

We won't use the VPN Client Wizard so that you can see all of the steps, we will configure the VP manually, click VPN and Remote Access > LAN to LAN:

 

 

then select a number corresponding to the profile you wish to configure:

 

 

 

  • Fist tick the Enable box to enable the profile
  • Give the profile a name
  • Choose the WAN1 interface for the VDSL interface if that is what you are using for the VPN external WAN IP address
  • Click the pass NetBIOS box to allow ICMP traffic between the offices
  • Leave Multicast blocked
  • To the right of that leave the call direction as Both
  • Below to the left select IPSec as the VPN type
  • Below that, enter the IP address or A record host name of the hub office Vigor 3900 WAN
  • To the right, click on the IKE Pre-Shared Key button and enter the key as you entered it into the Vigor 3900:

  • Now below that enter the IPsec method as High(ESP) AES with Authentication, then click the advanced button
  • Click the option to enable PFS - perfect forward secrecy

 

 

  • Leave the other timeouts as they are and click OK
  • Tick the box Specify Remote VPN Gateway and enter the 3900 WAN IP address
  • Leave the GRE settings as blank and proceed to the bottom section 5.

 

 

  • Enter the 2860 WAN IP in the first box
  • Enter the 3900 WAN IP in the second box
  • Enter the 3900 LAN IP network address in the third box
  • Enter the 3900 LAN subnet in the fourth box
  • Enter the 2860 LAN network address in the fifth box
  • Enter the 2860 LAN subnet in the final box
  • Leave the RIP settings as they are.

Now you should be able to go to the connection status on either router and see that the connection is live and be able to ping the other office from each respectively...

Buy the DrayTek Vigor 2860

Buy the DrayTek Vigor 3900

Comments (4) -

Sid Vetten 09/06/2017 11:08:33 #

Can you please post a 2830 to 3900 with the 2830 as a dynamic IP configuration? We are having real difficulty understanding where to configure what in order to get this working? The IPSec general and LAN-to-LAN settings seem to conflict...

Reply

sirclesadmin 29/06/2017 22:15:04 #

It is pretty much the same as: blog.sircles.net/.../draytek-2860-2830-vpn-from-satellite-office-with-dynamic-ip
The important thing is to set-up the IPSec general shared key on the static end and use the LAN-LAN settings for the dynamic IP end and leave the WAN IPs empty on that router.

Reply

Mazar Khan 09/08/2017 20:51:17 #

Can yo explain which IPSec configuration page we use for each example of VPN - when does IPSec general page apply and does it interrupt L2TP over IPSec if we change as we have problems constantly.

Reply

sirclesadmin 28/08/2017 22:58:21 #

IPSec general set-up is where you set the default IPSec shared key for dynamics IP IPSec connections as well as L2TP connections which is a difficulty as they often do not conincide with users you wish to tell a shared secret to. In my experience, if the General IPSec page is different to LAN-to-LAN incoming settings on a dynamic IPSec connection it will prevent the connection coming up but this  does vary from router to router. Although it is not an ideal situation, I recommend using a single shared secret for dynamic IPSec and L2TP incoming connections. This will ensure your connections are reliable but does compromise security unless you make sure that all incoming IPSec connections are LAN subnet specific.

Reply

Add comment