31

D-Link DIR-330 User Manual

Section 3 - Configuration

IPSec Settings

Check this box to enable IPSec.

Enter a name for your VPN.

Enter the local (LAN) subnet and mask.

(ex. 192.168.0.0/24)

Select Site to Site or Remote User for the

required VPN configuration.

•

Site to Site

- Network-to-network VPN in

which two entire LAN networks are virtually

connected across the Internet. If selected,

enter the destination gateway IP address in

the box which is the public WAN IP or host

address of the remote VPN server endpoint.

•

Remote User

– Client-to-server VPN in

which remote VPN clients can to connect to

the router from the Internet and access Local

Network resources.

If

Site to Site

is selected, enter the Destination

subnet and mask of the remote network.

(ex. 192.168.1.0/24)

Select Pre-shared Key or X.509 Certificate Authentication. One of these two authentication methods must be selected.

•

Pre-shared Key

- Manually enter ASCII passphrase in box.

•

X.509 Certificate

- For certificate authentication, certificates must be manually uploaded to the router. See the “Certificates”

section for details.

Enable:

Name:

Local Net/ Mask:

Remote IP:

Remote Local

LAN Net/ Mask:

Authentication:

32

D-Link DIR-330 User Manual

Section 3 - Configuration

Main / Aggressive

Mode:

NAT-T Enable:

• Additional Authentication Methods (Optional)

XAUTH

- Check this box to include additional username and password authentication requirements for the VPN. Select

Server Mode

or

Client Mode

.

•

Server Mode

- Select a group from the Authentication database drop-down menu containing the list of user

credentials permitted.

•

Client Mode

- Enter the user name and password if required by the remote VPN server endpoint configured in

xAuth Server Mode.

Local/Remote ID

- Check this box to include additional ID authentication requirements for the VPN using a specific IP Address,

FQDN, ASN1, or a Custom String.

•

Local ID

- Select one of the options from the drop-down menu. Enter an ID to identify and authenticate the local

VPN endpoint.

•

Remote ID

- Select one of the options from the drop-down menu. Enter an ID to identify and authenticate the

remote VPN endpoint.

Select Main Mode or Aggressive Mode for IKE Phase 1 negotiation.

•

Main Mode

- Select this option to configure the standard negotiation parameters for IKE Phase 1 of the VPN

Tunnel. (Recommended Setting)

•

Aggressive Mode

- Select this option to configure IKE Phase 1 of the VPN Tunnel to carry out negotiation in a

shorter amount of time. (Not Recommended - Less Secure)

Check this box to enable NAT Traversal. Enabling this option will allow IPSec traffic from this endpoint to traverse through the

translation process during NAT. The remote VPN endpoint must also support this feature and it must be enabled to function

properly over the VPN.

33

D-Link DIR-330 User Manual

Section 3 - Configuration

Keep Alive /

DPD:

DH Group:

IKE Proposal

List:

IKE Lifetime:

PFS Enable:

PFS DH Group:

IPSec Proposal

List:

IPSec Lifetime:

Select

None

,

Keep Alive

, or

DPD

(Dead Peer Connection).

•

None

- Select this option to disable Keep Alive.

•

Keep Alive

- Select this option to send

random ping requests

from this endpoint to the remote endpoint keeping the tunnel

established during long idle periods of inactivity.

•

DPD

- Select this option to delete the VPN tunnel if there is no

traffic detected. The VPN will re-establish once traffic is again

sent through the tunnel.

Select a DH Group from the drop-down menu. As the DH Group

number increases, the higher the level of encryption implemented

for Phase 1.

Select the Cipher and Hash from the drop-down menus. The proposal

listing is evaluated in order with #1 being the first proposal to attempt

in IKE negotiation.

Enter the number of seconds for the IKE Lifetime. The period of time

to pass before establishing a new IKE security association (SA) with

the remote endpoint. The default value is 28800.

Check to enable or uncheck to disable. PFS is an additional security protocol.

Select a PFS DH Group from the drop-down menu. As the DH Group number increases, the higher the level of encryption

implemented for PFS.

Select the Cipher and Hash from the drop-down menus. The proposal listing is evaluated in order with #1 being the first

proposal to attempt in IPSec negotiation.

Enter the number of seconds for the IPSec Lifetime. The period of time to pass before establishing a new IPSec security

association (SA) with the remote endpoint. The default value is 3600.

34

D-Link DIR-330 User Manual

Section 3 - Configuration

PPTP/L2TP Settings

Check this box to enable.

Enter a name for your VPN.

Select

PPTP

,

L2TP

, or

L2TP over IPsec

.

Enter the VPN Server IP address which is the LAN

IP of the router. (i.e. 192.168.0.1).

Assign a range of IP addresses. The assigned IP

range should be on the same IP network but not

the in the same range as your DHCP IP range. For

example, if your network is 192.168.0.xxx and you

set the DHCP range to 192.168.0.100-200, the

remote IP range cannot be within 192.168.0.100-

200.

Select the desired authentication protocol (PAP/

CHAP/MS-CHAP v2).

Select the level of encryption (None/40-bit/128-

bit).

Select a user group from the drop-down menu.

You can create user groups in the

Advanced

>

User Group

section.

Enable Setting:

Name:

Connection

Type:

VPN Server IP:

Remote IP

Range:

Authentication

Protocol:

MPPE

Encryption

Mode:

Authentication

Database:

PPTP uses TCP port 1723 for its control connection and uses GRE (IP protocol 47) for the PPP data. PPTP supports

data encryption by used MPPE. L2TP uses UDP protocol to transport the PPP data. This is often encapsulated in

IPsec encryption instead of MPPE.

35

D-Link DIR-330 User Manual

Section 3 - Configuration

SSL VPN Settings

Select a certificate to use for SSL. You can add a

new certificate by clicking

New

, which will take you

to the

Advanced > Certificates

page.

Check this box to enable SSL VPN.

Enter a name for your VPN.

Select a User Group to include in your SSL VPN.

Enter the LAN IP network in which connected SSL

VPN clients are allowed access.

Example:

If these are the current settings,

Router IP Address: 192.168.0.1

Router Subnet Mask: 255.255.255.0

Use the following configuration,

Client Accessible Range: 192.168.0.0/24

Certificate

Select:

Enable

SSLVPN:

Name:

User Group:

Client

Accessible

Range: