Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
draytek_site [2021/11/16 15:27] joe |
draytek_site [2021/11/16 17:10] (current) rafi |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | his article describes how to configure a VPN tunnel on a DrayTek Vigor 3900 device. | + | This article describes how to configure a VPN tunnel on a DrayTek Vigor 3900 device. |
- | * Unordered List ItemConfiguring | + | * Configuring |
* Configuring the tunnel on the DrayTek Management Interface | * Configuring the tunnel on the DrayTek Management Interface | ||
Please follow the steps below: | Please follow the steps below: | ||
- | ====== **Configuring the tunnel in the Management | + | ==== Configuring the tunnel in the DrayTek |
- | 1. Go to the Gateway in your network from which you want to create the tunnel to DrayTek. Select the three-dotted menu (...) and select Add Tunnel. | + | 1. Open the DrayTek |
- | 2. Select IPSec Site-2-Site Tunnel | + | 2. In the left panel, select VPN and Remote Access, then select |
- | 3. In the General Settings section fill in the following information: | ||
- | **Name:** Choose whatever name you find suitable for the tunnel. | + | ---- |
- | **Shared Secret:** Enter a string of your own or use Generate. | + | |
- | **Public IP:** Enter the public IP of the DrayTek device. | + | |
- | **Remote ID:** Enter a name that will be also used as the name of the VPN profile on the DrayTek device. | + | |
- | **Perimeter 81 Gateway Proposal Subnets:** Choose the specified subnet. By default, this should be set to 10.255.0.0/ | + | |
- | **Remote Gateway Proposal Subnets:** Select Specified Subnets and specify according to your local LAN Subnets. | + | |
- | 4. In the Advanced Settings section fill in the following: | + | {{::360010935959screenshot2020-04-13at112605.png? |
- | **IKE Version:** v1 | + | |
- | **Encryption (Phase 1):** AES256 | + | |
- | **Encryption (Phase 2):** AES256 | + | |
- | **Integrity (Phase 1):** SHA1 | + | |
- | **Integrity (Phase 2):** SHA1 | + | |
- | **Diffie-Hellman Groups (Phase 1):** 2 | + | |
- | **Diffie-Hellman Groups (Phase 2):** 2 | + | |
- | **DPD delay:** 30s | + | |
- | **DPD timeout:** 120s | + | |
- | 5. Leave the rest of the fields with the default values (as shown in the attached image) and click on Add Tunnel. | + | |
- | ======**Configuring the tunnel in the DrayTek Management Interface**====== | + | ---- |
- | 1. Open the DrayTek management interface. | ||
- | 2. In the left panel, select VPN and Remote Access, then select VPN Profiles. Select the add to create a new profile. | ||
- | |||
- | {{ : | ||
3. Under the Basic tab, fill in the following information: | 3. Under the Basic tab, fill in the following information: | ||
- | {{ :3600110728791-1copy.jpg? | + | |
+ | {{3600110728791-1copy.jpg? | ||
**Auto Dial-Out: Enable;** Always Dial-Out | **Auto Dial-Out: Enable;** Always Dial-Out | ||
+ | |||
**Dial-Out through: Your WAN interface; | **Dial-Out through: Your WAN interface; | ||
+ | |||
**Failover: | **Failover: | ||
+ | |||
**Local IP/Subnet Mask:** Insert your FW external address and specify the correlating subnets. | **Local IP/Subnet Mask:** Insert your FW external address and specify the correlating subnets. | ||
- | **Remote Host:** Insert you Perimeter 81 Gateway IP | ||
- | **Remote ID/Subnet Mask:** By default, upon network creation at the Perimeter 81 Portal 10.255.0.0 and 255.255.255.0/ | ||
- | {{ :: | + | **Remote Host:** Insert you Privatise public gateway IP (you can get this under ROC On Demand in the managed company portal). |
+ | |||
+ | **Remote ID/Subnet Mask:** Please reach out to Privatise support for this. | ||
+ | |||
+ | {{:: | ||
**IKE Protocol:** IKEv1 | **IKE Protocol:** IKEv1 | ||
+ | |||
**IKE Phase 1:** Main Mode | **IKE Phase 1:** Main Mode | ||
+ | |||
**Auth Type:** PSK | **Auth Type:** PSK | ||
- | **Pre-shared Key: | + | |
+ | **Pre-shared Key: | ||
**Security Protocol:** ESP | **Security Protocol:** ESP | ||
4. Fill in the following information in the Advanced section: | 4. Fill in the following information in the Advanced section: | ||
- | {{ :: | + | {{:: |
- | {{ :: | ||
- | **Phase 1 Key Lifetime: | + | {{:: |
- | **Phase 2 Key Lifetime: | + | |
+ | |||
+ | **Phase 1 Key Lifetime: | ||
+ | |||
+ | **Phase 2 Key Lifetime: | ||
**Perfect Forward Secrecy Status:** Enable | **Perfect Forward Secrecy Status:** Enable | ||
+ | |||
**DPD Status:** Enable | **DPD Status:** Enable | ||
+ | |||
**DPD Delay:** 30 seconds | **DPD Delay:** 30 seconds | ||
+ | |||
**DPD Timeout:** 120 seconds | **DPD Timeout:** 120 seconds | ||
+ | |||
**Ping to Keep Alive:** Disable | **Ping to Keep Alive:** Disable | ||
+ | |||
**Route/NAT Mode:** Route | **Route/NAT Mode:** Route | ||
+ | |||
**Source IP:** Auto-detect | **Source IP:** Auto-detect | ||
+ | |||
**Apply NAT Policy:** Disable | **Apply NAT Policy:** Disable | ||
+ | |||
**Set VPN Default Gateway:** Disable | **Set VPN Default Gateway:** Disable | ||
+ | |||
**Netbios Naming Packet:** Disable | **Netbios Naming Packet:** Disable | ||
+ | |||
**Multicast via VPN:** Disable | **Multicast via VPN:** Disable | ||
+ | |||
**Rip via VPN:** Disable | **Rip via VPN:** Disable | ||
+ | |||
**Packet Triggered: | **Packet Triggered: | ||
+ | |||
**Force UDP Encapsulation: | **Force UDP Encapsulation: | ||
Line 85: | Line 93: | ||
5. Fill in the following information in the GRE section: | 5. Fill in the following information in the GRE section: | ||
- | {{ :: | + | |
+ | {{:: | ||
**Enable GRE Function:** Disable | **Enable GRE Function:** Disable | ||
+ | |||
**Auto Generate GRE Key:** Enable | **Auto Generate GRE Key:** Enable | ||
6.Fill in with the following information in the Proposal section: | 6.Fill in with the following information in the Proposal section: | ||
- | {{ :: | + | |
+ | {{:: | ||
**IKE Phase 1 Proposal:** AES 256 | **IKE Phase 1 Proposal:** AES 256 | ||
+ | |||
**IKE Phase 1 Authentication: | **IKE Phase 1 Authentication: | ||
- | **IKE Phase 2 Proposal: | + | |
+ | **IKE Phase 2 Proposal: | ||
**IKE Phase 2 Authentication: | **IKE Phase 2 Authentication: | ||
+ | |||
**Accepted Proposal:** Accept | **Accepted Proposal:** Accept | ||
7. Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply. | 7. Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply. | ||
- | {{ :: | + | |
+ | {{:: | ||
8. If the tunnel is up, the profile will be green in the Connection Management tab: | 8. If the tunnel is up, the profile will be green in the Connection Management tab: | ||
- | {{ ::360010936219screenshot2020-04-13at113958.png? | + | |
+ | {{360010936219screenshot2020-04-13at113958.png? |