1. Home
    2. /
  2. Manuals
    3. /
  3. D-Link
    4. /
  4. DSR-500N
    5. /
  5. 24
Page 116 / 270 Scroll up to view Page 111 - 115
Unified Services Router
User Manual
114
2.
Configure Remote and Local WAN address for the tunnel endpoints
Remote Gateway Type: identify the remote end point of the tunnel by FQDN or
static IP address
Remote WAN IP address / FQDN: This field is enabled only if the peer you are
trying to connect to is a Gateway. For VPN Clients, this IP address or Internet
Name is determined when a connection request is re ceived from a client.
Local Gateway Type:
identify this router’s endpoint of the tunnel by FQDN or
static IP address
Local WAN IP address / FQDN: This field can be left blank if you are not using a
different FQDN or IP address than the one specified in the
WAN port’s
configuration.
3.
Configure the Secure Connection Remote Accessibility fields to identify the remote
network:
Remote LAN IP address : address of the LAN behind the peer gateway
Remote LAN Subnet Mask: the subnet mask of the LAN behind the peer
Note:
The IP address range used on the remote LAN must be different from the IP
address range used on the local LAN.
4.
Review the settings and click Connect to establish the tunnel.
The Wizard will create an Auto IPsec policy with the following default values for a
VPN Client or Gateway policy (these can be accessed from a link on the Wizard
page):
Parameter
De fault value from Wizard
Exchange Mode
Aggressive (Client policy ) or Main (Gatew ay policy)
ID Type
FQDN
Local WAN ID
w an_local.com (only applies to Client policies)
Remote WAN ID
w an_remote.com (only applies to Client policies)
Encryption Algorithm
3DES
Authentication Algorithm
SHA-1
Authentication Method
Pre-shared Key
PFS Key-Group
DH-Group 2(1024 bit)
Life Time (Phase 1)
24 hours
Life Time (Phase 2)
8 hours
Page 117 / 270
Unified Services Router
User Manual
115
Parameter
De fault value from Wizard
Exchange Mode
Aggressive (Client policy ) or Main (Gatew ay policy)
ID Type
FQDN
Local WAN ID
w an_local.com (only applies to Client policies)
Remote WAN ID
w an_remote.com (only applies to Client policies)
Encryption Algorithm
3DES
Authentication Algorithm
SHA-1
Authentication Method
Pre-shared Key
PFS Key-Group
DH-Group 2(1024 bit)
Life Time (Phase 1)
24 hours
NETBIOS
Enabled (only applies to Gatew ay policies)
The VPN Wizard is the recommended method to set up an Auto IPsec policy.
Once the Wizard creates the matching IKE and VPN policies required by the Auto
policy, one can modify the required fields through the edit link. Refer to the online
help for details.
Easy Setup Site to Site VPN Tunnel:
If you find it difficult to configure VPN policies through VPN wizard use easy setup
site to site VPN tunnel. This will add VPN policies by importing a file containing vpn
policies.
6.2
Configuring IPsec Policies
Setup > VPN Settings > IPsec > IPsec Policies
An IPs ec policy is between this router and another gateway or this router and a IPsec
client on a remote host.
The IPsec mode can be either tunnel or transport depending
on the network being traversed between the two policy endpoints.
Transport: This is used for end -to-end communication between this router and the
tunnel endpoint, either another IPsec gateway or an IPsec VPN client on a host.
Only the data payload is encrypted and the IP header is not modified or encrypted.
Tunnel: This mode is used for network-to-network IPsec tunnels where this
gateway is one endpoint of the tunnel.
In this mode the entire IP packet including
the header is encrypted and/or authenticated.
When tunnel mode is selected, you can enable NetBIOS and DHCP over IPsec.
DHCP over IPsec allows this router to serve IP leases to hosts on the remote LAN. As
well in this mode you can define the single IP address, range of IPs, or subnet on both
the local and remote private networks that can communicate over the tunnel.
Page 118 / 270
Unified Services Router
User Manual
116
Figure 74: IPse c policy configuration
Once the tunnel type and endpoints of the tunnel are defined you can determine the
Phase 1 / Phase 2 negotiation to use for the tunnel.
This is covered in the IPsec mode
setting, as the policy can be Manual or Auto.
For Auto policies, the Internet Key
Exchange (IKE) protocol dynamically exchanges keys between two IPsec hosts. The
Phase 1 IKE parameters are used to define the tunnel’s security association details.
The Phase 2 Auto policy parameters cover the security association lifetime and
encryption/authentication details of the phase 2 key negotiation.
Page 119 / 270
Unified Services Router
User Manual
117
The VPN policy is one half of the IKE/VPN policy pair required to establish an Auto
IPsec VPN tunnel. The IP addresses of the machine or machines on the two VPN
endpoints are configured here, along wit h the policy parameters required to secure the
tunnel
Figure 75: IPse c policy configuration continue d (Auto policy via IKE)
A Manual policy does not use IKE and instead relies on manual keying to exchange
authentication parameters between the two IPsec hosts. The incoming and outgoing
security parameter index (SPI) values must be mirrored on the remote tunnel
Page 120 / 270
Unified Services Router
User Manual
118
endpoint.
As well the encryption and integrity algorithms and keys must match on the
remote IPsec host exactly in order for the tunnel to establish successfully. Note that
using Auto policies with IKE are preferred as in some IPsec implementations the SPI
(security parameter index) values require conversion at each endpoint.
DSR supports VPN roll-over feature. This means that policies configured on primary
WAN will rollover to the secondary WAN in case of a link failure on a primary
WAN. This feature can be used only if your WAN is configured in Auto-Rollover
mode.

Rate

4.5 / 5 based on 2 votes.

Popular D-Link Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top