DrayTek Vigor2860Vn-plus Router Manual PDF (Setup & Configuration Guide)

Page 306 / 794 Scroll up to view Page 301 - 305

Vigor2860 Series User’s Guide

292



Both

:-initiator/responder



Dial-Out

- initiator only



Dial-In-

responder only.

Always On-

Check to enable router always keep VPN

connection.

Idle Timeout:

The default value is 300 seconds. If the

connection has been idled over the value, the router will

drop the connection.

Enable PING to keep alive -

This function is to help the

router to determine the status of IPsec VPN connection,

especially useful in the case of abnormal VPN IPsec tunnel

disruption. For details, please refer to the note below.

Check to enable the transmission of PING packets to a

specified IP address.

Enable PING to keep alive

is used to handle abnormal

IPsec VPN connection disruption. It will help to provide the

state of a VPN connection for router’s judgment of redial.

Normally, if any one of VPN peers wants to disconnect the

connection, it should follow a serial of packet exchange

procedure to inform each other. However, if the remote peer

disconnects without notice, Vigor router will by no where

to know this situation. To resolve this dilemma, by

continuously sending PING packets to the remote host, the

Vigor router can know the true existence of this VPN

connection and react accordingly. This is independent of

DPD (dead peer detection).

PING to the IP -

Enter the IP address of the remote host

that located at the other-end of the VPN tunnel.

Dial-Out Settings

Type of Server I am calling - PPTP

- Build a PPTP VPN

connection to the server through the Internet. You should

set the identity like User Name and Password below for the

authentication of remote server.

IPsec Tunnel

- Build an IPsec VPN connection to the

server through Internet.

L2TP with IPsec Policy -

Build a L2TP VPN connection

through the Internet. You can select to use L2TP alone or

with IPsec. Select from below:



None:

Do not apply the IPsec policy. Accordingly, the

VPN connection employed the L2TP without IPsec

policy can be viewed as one pure L2TP connection.



Nice to Have:

Apply the IPsec policy first, if it is

applicable during negotiation. Otherwise, the dial-out

VPN connection becomes one pure L2TP connection.

Must:

Specify the IPsec policy to be definitely applied on

the L2TP connection.

User Name -

This field is applicable when you select,

PPTP or L2TP with or without IPsec policy above. The

length of the name is limited to 49 characters.

Password -

This field is applicable when you select PPTP

or L2TP with or without IPsec policy above. The length of

Page 307 / 794

Vigor2860 Series User’s Guide

293

the password is limited to 15 characters.

PPP Authentication -

This field is applicable when you

select, PPTP or L2TP with or without IPSec policy above.

PAP/CHAP/MS-CHAP/MS-CHAPv2 is the most common

selection due to compatibility.

VJ compression -

This field is applicable when you select

PPTP or L2TP with or without IPsec policy above. VJ

Compression is used for TCP/IP protocol header

compression. Normally set to

On

to improve bandwidth

utilization.

IKE Authentication Method -

This group of fields is

applicable for IPsec Tunnels and L2TP with IPsec Policy.



Pre-Shared Key

- Input 1-63 characters as pre-shared

key.



Digital Signature (X.509)

- Select one predefined

Profiles set in the

VPN and Remote Access >>IPsec

Peer Identity

.

Peer ID -

Select one of the predefined Profiles set in

VPN and

Remote Access >>IPsec Peer Identity.

Local ID –

Specify a local ID

(Alternative Subject

Name First

or

Subject Name First)

to be used for

Dial-in setting in the LAN-to-LAN Profile setup. This

item is optional and can be used only in IKE

aggressive mode.



Local Certificate –

Select one of the profiles set in

Certificate Management>>Local Certificate

.

IPsec Security Method -

This group of fields is a must for

IPsec Tunnels and L2TP with IPsec Policy.



Medium AH (Authentication Header)

means data

will be authenticated, but not be encrypted. By default,

this option is active.



High (ESP-Encapsulating Security Payload)-

means

payload (data) will be encrypted and authenticated.

Select from below:



DES without Authentication

-Use DES encryption

algorithm and not apply any authentication scheme.



DES with Authentication-

Use DES encryption

algorithm and apply MD5 or SHA-1 authentication

algorithm.



3DES without Authentication

-Use triple DES

encryption algorithm and not apply any authentication

scheme.



3DES with Authentication-

Use triple DES

encryption algorithm and apply MD5 or SHA-1

authentication algorithm.



AES without Authentication

-Use AES encryption

algorithm and not apply any authentication scheme.



AES with Authentication-

Use AES encryption

algorithm and apply MD5 or SHA-1 authentication

algorithm.

Page 308 / 794

Vigor2860 Series User’s Guide

294

Advanced -

Specify mode, proposal and key life of each

IKE phase, Gateway, etc.

The window of advance setup is shown as below:

IKE phase 1 mode -

Select from

Main

mode and

Aggressive

mode. The ultimate outcome is to exchange

security proposals to create a protected secure channel.

Main

mode is more secure than

Aggressive

mode since

more exchanges are done in a secure channel to set up the

IPsec session. However, the

Aggressive

mode is faster. The

default value in Vigor router is Main mode.



IKE phase 1 proposal-

To propose the local available

authentication schemes and encryption algorithms to

the VPN peers, and get its feedback to find a match.

Two combinations are available for Aggressive mode

and nine for

Main

mode. We suggest you select the

combination that covers the most schemes.



IKE phase 2 proposal-

To propose the local available

algorithms to the VPN peers, and get its feedback to

find a match. Three combinations are available for

both modes. We suggest you select the combination

that covers the most algorithms.



IKE phase 1 key lifetime-

For security reason, the

lifetime of key should be defined. The default value is

28800 seconds. You may specify a value in between

900 and 86400 seconds.



IKE phase 2 key lifetime-

For security reason, the

lifetime of key should be defined. The default value is

3600 seconds.

You may specify a value in between

600 and 86400 seconds.



Perfect Forward Secret (PFS)-

The IKE Phase 1 key

will be reused to avoid the computation complexity in

phase 2. The default value is inactive this function.

Local ID-

In

Aggressive

mode, Local ID is on behalf

of the IP address while identity authenticating with

remote VPN server. The length of the ID is limited to

47 characters.

Index(1-15) -

Set the wireless LAN to work at certain time

interval only. You may choose up to 4 schedules out of the

15 schedules pre-defined in

Applications >> Schedule

setup. The default setting of this field is blank and the

function will always work.

Page 309 / 794

Vigor2860 Series User’s Guide

295

Available settings are explained as follows:

Item

Description

Dial-In Settings

Allowed Dial-In Type -

Determine the dial-in connection

with different types.



PPTP -

Allow the remote dial-in user to make a PPTP

VPN connection through the Internet. You should set

the User Name and Password of remote dial-in user

below.



IPsec Tunnel-

Allow the remote dial-in user to trigger

an IPsec VPN connection through Internet.



L2TP with IPsec Policy -

Allow the remote dial-in

user to make a L2TP VPN connection through the

Internet. You can select to use L2TP alone or with

IPsec. Select from below:



None -

Do not apply the IPsec policy.

Accordingly, the VPN connection employed the

L2TP without IPsec policy can be viewed as one

pure L2TP connection.



Nice to Have

- Apply the IPsec policy first, if it

is applicable during negotiation. Otherwise, the

dial-in VPN connection becomes one pure L2TP

connection.



Must -

Specify the IPsec policy to be definitely

applied on the L2TP connection.

Page 310 / 794

Vigor2860 Series User’s Guide

296

Specify Remote VPN Gateway -

You can specify the IP

address of the remote dial-in user or peer ID (should be the

same with the ID setting in dial-in type) by checking the

box. Also, you should further specify the corresponding

security methods on the right side.

If you uncheck the checkbox

,

the connection type you

select above will apply the authentication methods and

security methods in the general settings.

User Name -

This field is applicable when you select PPTP

or L2TP with or without IPsec policy above. The length of

the name is limited to 11 characters.

Password -

This field is applicable when you select PPTP

or L2TP with or without IPsec policy above. The length of

the password is limited to 11 characters.

VJ Compression -

VJ Compression is used for TCP/IP

protocol header compression. This field is applicable when

you select PPTP or L2TP with or without IPsec policy

above.

IKE Authentication Method -

This group of fields is

applicable for IPsec Tunnels and L2TP with IPsec Policy

when you specify the IP address of the remote node. The

only exception is Digital Signature (X.509) can be set when

you select IPsec tunnel either with or without specify the IP

address of the remote node.



Pre-Shared Key -

Check the box of Pre-Shared Key

to invoke this function and type in the required

characters (1-63) as the pre-shared key.



Digital Signature (X.509) –

Check the box of Digital

Signature to invoke this function and select one

predefined Profiles set in the

VPN and Remote

Access >>IPsec Peer Identity

.



Local ID

– Specify which one will be inspected

first.



Alternative Subject Name First

– The

alternative subject name (configured in

Certificate Management>>Local Certificate

)

will be inspected first.



Subject Name First

– The subject name

(configured in

Certificate

Management>>Local Certificate

) will be

inspected first.

IPsec Security Method -

This group of fields is a must for

IPsec Tunnels and L2TP with IPsec Policy when you

specify the remote node.



Medium-

Authentication Header (AH) means data

will be authenticated, but not be encrypted. By default,

this option is active.



High-

Encapsulating Security Payload (ESP) means

payload (data) will be encrypted and authenticated.

You may select encryption algorithm from Data

Encryption Standard (DES), Triple DES (3DES), and

Rate

Popular DrayTek Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share