This article describes how to configure a VPN tunnel on a DrayTek Vigor 3900 device.

  * Configuring the tunnel on the Management Platform
  * Configuring the tunnel on the DrayTek Management Interface

Please follow the steps below:

==== Configuring the tunnel in the DrayTek Management Interface ====

1. Open the DrayTek management interface.

2. In the left panel, select VPN and Remote Access, then select VPN Profiles. Select the add to create a new profile.


----

{{::360010935959screenshot2020-04-13at112605.png?nolink&200 }}

----


3. Under the Basic tab, fill in the following information:


{{3600110728791-1copy.jpg?nolink&200 |}}

**Auto Dial-Out: Enable;** Always Dial-Out

**Dial-Out through: Your WAN interface;** Default WAN IP

**Failover:** Should remain with the null value.

**Local IP/Subnet Mask:** Insert your FW external address and specify the correlating subnets.

**Remote Host:** Insert you Privatise public gateway IP (you can get this under ROC On Demand in the managed company portal).

**Remote ID/Subnet Mask:** Please reach out to Privatise support for this.

{{::360010932560screenshot2020-04-13at112754.png?nolink&200 |}}


**IKE Protocol:** IKEv1

**IKE Phase 1:** Main Mode

**Auth Type:** PSK

**Pre-shared Key:** Please reach out to Privatise support for this.

**Security Protocol:** ESP

4. Fill in the following information in the Advanced section:

{{::360010932580screenshot2020-04-13at112834.png?nolink&200 |}}


{{::360010936039screenshot2020-04-13at113129.png?nolink&200 |}}


**Phase 1 Key Lifetime:** 86400 seconds

**Phase 2 Key Lifetime:** 86400 seconds

**Perfect Forward Secrecy Status:** Enable

**DPD Status:** Enable

**DPD Delay:** 30 seconds

**DPD Timeout:** 120 seconds

**Ping to Keep Alive:** Disable

**Route/NAT Mode:** Route

**Source IP:** Auto-detect

**Apply NAT Policy:** Disable

**Set VPN Default Gateway:** Disable

**Netbios Naming Packet:** Disable

**Multicast via VPN:** Disable

**Rip via VPN:** Disable

**Packet Triggered:** Enable

**Force UDP Encapsulation:** Disable


5. Fill in the following information in the GRE section:


{{::360010936059screenshot2020-04-13at113213.png?nolink&200 |}}


**Enable GRE Function:** Disable

**Auto Generate GRE Key:** Enable

6.Fill in with the following information in the Proposal section:


{{::image-1607873566327.png?nolink&200 |}}


**IKE Phase 1 Proposal:** AES 256

**IKE Phase 1 Authentication:** SHA1

**IKE Phase 2 Proposal:** AES 256 with auth

**IKE Phase 2 Authentication:** SHA1

**Accepted Proposal:** Accept

7. Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply.


{{::360010936079screenshot2020-04-13at113512.png?nolink&200 |}}


8. If the tunnel is up, the profile will be green in the Connection Management tab:


{{360010936219screenshot2020-04-13at113958.png?nolink&200 |}}