1. Home
    2. /
  2. Manuals
    3. /
  3. DrayTek
    4. /
  4. Vigor-2900V
    5. /
  5. 20
Page 96 / 173 Scroll up to view Page 91 - 95
Vigor2900 Series User’s Guide
90
3.8 VPN and Remote Access Setup
A Virtual Private Network (VPN) is the extension of a private network that encompasses links
across shared or public networks like the Internet. In short, by VPN technology, you can send
data between two computers across a shared or public network in a manner that emulates the
properties of a point-to-point private link.
Choose
VPN and Remote Access Setup
on the
Advanced Setup
group, you can see the
following page.
3.8.1 Remote Access Control Setup
Enable the necessary VPN service as you need. If you intend to run a VPN server inside your
LAN, you should disable the VPN service of Vigor Router to allow VPN tunnel pass through,
as well as the appropriate NAT settings, such as DMZ or open port.
3.8.2 PPP General Setup
This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP over
IPSec.
Page 97 / 173
Vigor2900 Series User’s Guide
91
Dial-In PPP
Authentication
PAP Only
- Select this option to force the router to
authenticate dial-in users with the PAP protocol.
PAP or CHAP
- Selecting this option means the router will
attempt to authenticate dial-in users with the CHAP protocol
first. If the dial-in user does not support this protocol, it will
fall back to use the PAP protocol for authentication.
Dial-In PPP Encryption
( MPPE)
This option represents that the MPPE encryption method will
be optionally employed in the router for the remote dial-in
user. If the remote dial-in user does not support the MPPE
encryption algorithm, the router will transmit “no MPPE
encrypted packets”. Otherwise, the MPPE encryption scheme
will be used to encrypt the data.
Require MPPE (40/128bits) -
Selecting this option will force
the router to encrypt packets by using the MPPE encryption
algorithm. In addition, the remote dial-in user will use 40-bit
to perform encryption prior to using 128-bit for encryption.
In other words, if 1280-bit MPPE encryption method is not
available, then 40-bit encryption scheme will be applied to
encrypt the data.
Maximum MPPE -
This option indicates that the router will
use the MPPE encryption scheme with maximum bits (128
bits) to encrypt the data.
Mutual Authentication
(PAP)
The Mutual Authentication function is mainly used to
communicate with other routers or clients who need
bi-directional authentication in order to provide stronger
security, for example, Cisco routers. So you should enable
this function when your peer router requires mutual
authentication. You should further specify the
User Name
and
Password
of the mutual authentication peer.
Start IP Address
Enter a start IP address for the dial-in PPP connection. You
should choose an IP address from the local private network.
For example, if the local private network is
192.168.1.0/255.255.255.0, you could choose 192.168.1.200 as
the Start IP Address. But, you have to notice that the first two
IP addresses of 192.168.1.200 and 192.168.1.201 are reserved
for ISDN remote dial-in user.
Page 98 / 173
Vigor2900 Series User’s Guide
92
3.8.3 VPN IKE/IPSec General Setup
In
IPSec General Setup,
there are two major parts of configuration.
There are two phases of IPSec.
¾
Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman
parameter values, and lifetime to protect the following IKE exchange, authentication of
both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that
starts the negotiation proposes all its policies to the remote peer and then remote peer
tries to find a highest-priority match with its policies. Eventually to set up a secure tunnel
for IKE Phase 2.
¾
Phase 2: negotiation IPSec security methods including Authentication Header (AH) or
Encapsulating Security Payload (ESP) for the following IKE exchange and mutual
examination of the secure tunnel establishment.
There are two encapsulation methods used in IPSec,
Transport
and
Tunnel
. The
Transport
mode will add the AH/ESP payload and use original IP header to encapsulate the data payload
only. It can just apply to local packet, e.g., L2TP over IPSec. The
Tunnel
mode will not only
add the AH/ESP payload but also use a new IP header (Tunneled IP header) to encapsulate the
whole original IP packet.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to create
a message digest. This digest will be put in the AH and transmitted along with packets. On the
receiving side, the peer will perform the same one-way hash on the packet and compare the
value with the one in the AH it receives.
Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality
and protection with optional authentication and replay detection service.
IKE Authentication Method
This usually applies to those are remote dial-in user or node
(LAN-to-LAN) which uses dynamic IP address and
IPSec-related VPN connections such as L2TP over IPSec and
IPSec tunnel.
Pre-Shared Key -
Currently only support Pre-Shared Key
authentication. Specify a key for IKE authentication.
Re-type Pre-Shared Key -
Confirm the pre-shared key.
IPSec Security Method
Medium
-
Authentication Header (AH) means data will be
authenticated, but not be encrypted. By default, this option is
active.
High
-
Encapsulating Security Payload (ESP) means payload
Page 99 / 173
Vigor2900 Series User’s Guide
93
(data) will be encrypted and authenticated. You may select
encryption algorithm from Data Encryption Standard (DES),
Triple DES (3DES), and AES.
3.8.4 Remote User Profile Setup (Teleworker)
You can manage remote access by maintaining a table of remote user profile, so that users can
be authenticated to dial-in or build the VPN connection. You may set parameters including
specified connection peer ID, connection type (VPN including PPTP, IPSec Tunnel, and L2TP
by itself or over IPSec) and corresponding security methods, etc.
The router provides 32 access accounts for dial-in users. Besides, you can extend the user
accounts to the RADIUS server through the built-in RADIUS client function.
The following
figure shows the summary table.
Click to clear all indexes.
Index
Click the number below Index to access into the setting page of
Remote Dial-in User.
User
Display the username for the specific dial-in user of the
LAN-to-LAN profile. The symbol
???
represents that the
profile is empty.
Status
Display the access state of the specific dial-in user.
The
symbol V and X represent the specific dial-in user to be active
and inactive, respectively.
Click this link to access into next page for setting more
accounts.
Click each index to edit one remote user profile.
Each Dial-In Type requires you to fill the
different corresponding fields on the right.
If the fields gray out, it means you may leave it
untouched. The following explanation will guide you to fill all the necessary fields.
Page 100 / 173
Vigor2900 Series User’s Guide
94
Enable this account
Check the box to enable this function.
Idle Timeout-
If the dial-in user is idle over the limitation of
the timer, the router will drop this connection. By default, the
Idle Timeout is set to 300 seconds.
ISDN
Allow the remote ISDN dial-in connection. You can further set
up Callback function below. You should set the User Name and
Password of remote dial-in user below. This feature is for
i
model only.
PPTP
Allow the remote dial-in user to make a PPTP VPN connection
through the Internet. You should set the User Name and
Password of remote dial-in user below
IPSec Tunnel
Allow the remote dial-in user to trigger an IPSec VPN
connection through Internet.
L2TP
Allow the remote dial-in user to make a L2TP VPN connection
through the Internet. You can select to use L2TP alone or with
IPSec. Select from below:
None -
Do not apply the IPSec policy. Accordingly, the VPN
connection employed the L2TP without IPSec policy can be
viewed as one pure L2TP connection.
N
ice to Have -
Apply the IPSec policy first, if it is applicable
during negotiation. Otherwise, the dial-in VPN connection
becomes one pure L2TP connection.
Must -
Specify the IPSec policy to be definitely applied on the
L2TP connection.
Specify Remote Node
Check the checkbox-
You can specify the IP address of the
remote dial-in user or peer ID (used in IKE aggressive mode).
Uncheck the checkbox-
This means the connection type you
select above will apply the authentication methods and security
methods in the
general settings
.
User Name
This field is applicable when you select PPTP or L2TP with or
without IPSec policy above.
Password
This field is applicable when you select PPTP or L2TP with or
without IPSec policy above.

Rate

3.5 / 5 based on 2 votes.

Popular DrayTek Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top