DrayTek Vigor2860Vn-plus Router Manual PDF (Setup & Configuration Guide)

Page 296 / 794 Scroll up to view Page 291 - 295

Vigor2860 Series User’s Guide

282

3.11.3 IPsec General Setup

In

IPsec General Setup,

there are two major parts of configuration.

There are two phases of IPsec.



Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman

parameter values, and lifetime to protect the following IKE exchange, authentication of

both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that

starts the negotiation proposes all its policies to the remote peer and then remote peer

tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel

for IKE Phase 2.



Phase 2: negotiation IPsec security methods including Authentication Header (AH) or

Encapsulating Security Payload (ESP) for the following IKE exchange and mutual

examination of the secure tunnel establishment.

There are two encapsulation methods used in IPsec,

Transport

and

Tunnel

. The

Transport

mode will add the AH/ESP payload and use original IP header to encapsulate the data payload

only. It can just apply to local packet, e.g., L2TP over IPsec. The

Tunnel

mode will not only

add the AH/ESP payload but also use a new IP header (Tunneled IP header) to encapsulate the

whole original IP packet.

Authentication Header (AH) provides data authentication and integrity for IP packets passed

between VPN peers. This is achieved by a keyed one-way hash function to the packet to create

a message digest. This digest will be put in the AH and transmitted along with packets. On the

receiving side, the peer will perform the same one-way hash on the packet and compare the

value with the one in the AH it receives.

Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality

and protection with optional authentication and replay detection service.

Available settings are explained as follows:

Item

Description

IKE Authentication

Method

This usually applies to those are remote dial-in user or node

(LAN-to-LAN) which uses dynamic IP address and

IPsec-related VPN connections such as L2TP over IPsec

and IPsec tunnel. There are two methods offered by Vigor

router for you to authenticate the incoming data coming

from remote dial-in user,

Certificate (X.509)

and

Page 297 / 794

Vigor2860 Series User’s Guide

283

Pre-Shared Key

.

Certificate for Dial-in

–Choose one of the local certificates

from the drop down list.

Pre-Shared Key-

Specify a key for IKE authentication.

Confirm Pre-Shared Key-

Retype the characters to

confirm the pre-shared key.

Note

: Any packets from the remote dial-in user which does

not match the rule defined in

VPN and Remote

Access>>Remote Dial-In User

will be applied with the

method specified here.

IPsec Security Method

Medium

-

Authentication Header (AH) means data will be

authenticated, but not be encrypted. By default, this option

is active.

High (ESP)

-

Encapsulating Security Payload (ESP) means

payload (data) will be encrypted and authenticated. You

may select encryption algorithm from Data Encryption

Standard (DES), Triple DES (3DES), and AES.

After finishing all the settings here, please click

OK

to save the configuration.

3.11.4 IPsec Peer Identity

To use digital certificate for peer authentication in either LAN-to-LAN connection or Remote

User Dial-In connection, here you may edit a table of peer certificate for selection. As shown

below, the router provides

32

entries of digital certificates for peer dial-in users.

Available settings are explained as follows:

Item

Description

Set to Factory Default

Click it to clear all indexes.

Page 298 / 794

Vigor2860 Series User’s Guide

284

Index

Click the number below Index to access into the setting

page of IPsec Peer Identity.

Name

Display the profile name of that index.

Click each index to edit one peer digital certificate. There are three security levels of digital

signature authentication: Fill each necessary field to authenticate the remote peer. The

following explanation will guide you to fill all the necessary fields.

Available settings are explained as follows:

Item

Description

Profile Name

Type the name of the profile. The maximum length of the

name you can set is 32 characters.

Enable this account

Check it to enable such account profile.

Accept Any Peer ID

Click to accept any peer regardless of its identity.

Accept Subject

Alternative Name

Click to check one specific field of digital signature to

accept the peer with matching value. The field can be

IP

Address, Domain,

or

E-mail Address

. The box under the

Type will appear according to the type you select and ask

you to fill in corresponding setting.

Accept Subject Name

Click to check the specific fields of digital signature to

accept the peer with matching value. The field includes

Country (C), State (ST), Location (L), Organization (O),

Organization Unit (OU), Common Name (CN),

and

Email (E)

.

After finishing all the settings here, please click

OK

to save the configuration.

Page 299 / 794

Vigor2860 Series User’s Guide

285

3.11.5 Remote Dial-in User

You can manage remote access by maintaining a table of remote user profile, so that users can

be authenticated to dial-in via VPN connection. You may set parameters including specified

connection peer ID, connection type (VPN connection - including PPTP, IPsec Tunnel, and

L2TP by itself or over IPsec) and corresponding security methods, etc.

The router provides

32

access accounts for dial-in users. Besides, you can extend the user

accounts to the RADIUS server through the built-in RADIUS client function. The following

figure shows the summary table.

Available settings are explained as follows:

Item

Description

Set to Factory Default

Click to clear all indexes.

Index

Click the number below Index to access into the setting

page of Remote Dial-in User.

User

Display the username for the specific dial-in user of the

LAN-to-LAN profile. The symbol

???

represents that the

profile is empty.

Active

Check the box to activate such profile.

Status

Display the access state of the specific dial-in user.

The

symbol V and X represent the specific dial-in user to be

active and inactive, respectively.

Click each index to edit one remote user profile.

Each Dial-In Type requires you to fill the

different corresponding fields on the right.

If the fields gray out, it means you may leave it

untouched. The following explanation will guide you to fill all the necessary fields.

Page 300 / 794

Vigor2860 Series User’s Guide

286

Available settings are explained as follows:

Item

Description

User account and

Authentication

Enable this account

- Check the box to enable this

function.

Idle Timeout-

If the dial-in user is idle over the limitation

of the timer, the router will drop this connection. By

default, the Idle Timeout is set to 300 seconds.

Allowed Dial-In Type

PPTP

- Allow the remote dial-in user to make a PPTP VPN

connection through the Internet. You should set the User

Name and Password of remote dial-in user below.

IPsec Tunnel

- Allow the remote dial-in user to make an

IPsec VPN connection through Internet.

L2TP with IPsec Policy

- Allow the remote dial-in user to

make a L2TP VPN connection through the Internet. You

can select to use L2TP alone or with IPsec. Select from

below:



None -

Do not apply the IPsec policy. Accordingly,

the VPN connection employed the L2TP without

IPsec policy can be viewed as one pure L2TP

connection.



Nice to Have -

Apply the IPsec policy first, if it is

applicable during negotiation. Otherwise, the dial-in

Rate

Popular DrayTek Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share