1. Home
    2. /
  2. Manuals
    3. /
  3. DrayTek
    4. /
  4. Vigor-2900V
    5. /
  5. 21
Page 101 / 173 Scroll up to view Page 96 - 100
Vigor2900 Series User’s Guide
95
IKE Pre-Shared Key
Check the box of Pre-Shared Key to invoke this function and
type in the required characters (1-63) as the pre-shared key.
IPSec Security Method
This group of fields is a must for IPSec Tunnels and L2TP with
IPSec Policy when you specify the remote node. Check the
Medium, DES, 3DES or AES box as the security method.
Medium -Authentication Header (AH)
means data will be
authenticated, but not be encrypted. By default, this option is
invoked. You can uncheck it to disable it.
High-Encapsulating Security Payload (ESP)
means payload
(data) will be encrypted and authenticated. You may select
encryption algorithm from Data Encryption Standard (DES),
Triple DES (3DES), and AES.
Local ID -
Specify a local ID to be used for Dial-in setting in
the LAN-to-LAN Profile setup. This item is optional and can be
used only in IKE aggressive mode.
Callback Function
The callback function provides a callback service only for the
ISDN dial-in user (for
i
model only). The router owner will be
charged the connection fee by the telecom.
Check to enable Callback function
-Enables the callback
function.
Specify the callback number
-The option is for extra security.
Once enabled, the router will ONLY call back to the specified
Callback Number.
Check to enable callback budget control
-By default, the
callback function has a time restriction. Once the callback
budget has been exhausted, the callback mechanism will be
disabled automatically.
Callback Budget (Unit: minutes)
- Specify the time budget for
the dial-in user. The budget will be decreased automatically per
callback connection.
3.8.5 LAN to LAN Profile Setup
Here you can manage LAN-to-LAN connections by maintaining a table of connection profiles.
You may set parameters including specified connection direction (dial-in or dial-out),
connection peer ID, connection type (VPN including PPTP, IPSec Tunnel, and L2TP by itself
or over IPSec) and corresponding security methods, etc.
The router provides up to 32 profiles, which also means supporting 32 VPN tunnels
simultaneously. The following figure shows the summary table.
Page 102 / 173
Vigor2900 Series User’s Guide
96
Click to clear all indexes.
Name
Indicate the name of the LAN-to-LAN profile. The symbol
???
represents that the profile is empty
Status
Indicate the status of individual profiles. The symbol V and X
represent the profile to be active and inactive, respectively.
Click each index to edit each profile and you will get the following page. Each LAN-to-LAN
profile includes 4 subgroups. If the fields gray out, it means you may leave it untouched. The
following explanations will guide you to fill all the necessary fields.
For the web page is too long, we divide the page into several sections for explanation.
Page 103 / 173
Vigor2900 Series User’s Guide
97
Profile Name
Specify a name for the profile of the LAN-to-LAN connection.
Enable this profile
Check here to activate this profile.
Call Direction
Specify the allowed call direction of this LAN-to-LAN profile.
Both
:-initiator/responder
Dial-Out
- initiator only
Dial-In-
responder only.
Always On or Idle Timeout Always On-
Check to enable router always keep VPN
connection.
Idle Timeout:
The default value is 300 seconds. If the
connection has been idled over the value, the router will drop
the connection.
Enable PING to keep alive
This function is to help the router to determine the status of
IPSec VPN connection, especially useful in the case of
abnormal VPN IPSec tunnel disruption. For details, please refer
to the note below. Check to enable the transmission of PING
packets to a specified IP address.
PING to the IP
Enter the IP address of the remote host that located at the
other-end of the VPN tunnel.
Enable PING to Keep Alive
is used to handle abnormal
IPSec VPN connection disruption. It will help to provide the
state of a VPN connection for router’s judgment of redial.
Normally, if any one of VPN peers wants to disconnect the
connection, it should follow a serial of packet exchange
procedure to inform each other. However, if the remote peer
disconnect without notice, Vigor router will by no where to
know this situation. To resolve this dilemma, by continuously
sending PING packets to the remote host, the Vigor router
can know the true existence of this VPN connection and react
accordingly. This is independent of DPD (dead peer
detection).
ISDN
Build ISDN dial-out connection to the server. You should set up
Link Type and identity like User Name and Password for the
authentication of remote server. You can further set up Callback
(CBCP) function below. This feature is useful for
i
model only.
PPTP
Build a PPTP VPN connection to the server through the Internet.
You should set the identity like User Name and Password
below for the authentication of remote server.
IPSec Tunnel
Build a IPSec VPN connection to the server through Internet.
L2TP with …
Build a L2TP VPN connection through the Internet. You can
select to use L2TP alone or with IPSec. Select from below:
None:
Do not apply the IPSec policy. Accordingly, the VPN
connection employed the L2TP without IPSec policy can be
viewed as one pure L2TP connection.
Nice to Have:
Apply the IPSec policy first, if it is applicable
during negotiation. Otherwise, the dial-out VPN connection
becomes one pure L2TP connection.
Must:
Specify the IPSec policy to be definitely applied on the
L2TP connection.
Page 104 / 173
Vigor2900 Series User’s Guide
98
User Name
This field is applicable when you select PPTP or L2TP w/ or
w/out IPSec policy above.
Password
This field is applicable when you select PPTP or L2TP w/ or
w/out IPSec policy above.
PPP Authentication
This field is applicable when you select PPTP or L2TP w/ or
w/out IPSec policy above. PAP/CHAP is the most common
selection due to wild compatibility.
VJ compression
This field is applicable when you select PPTP or L2TP w/ or
w/out IPSec policy above. VJ Compression is used for TCP/IP
protocol header compression. Normally set to
Yes
to improve
bandwidth utilization.
IKE Pre-Shared Key
Click this button to input 1-63 characters as pre-shared key.
IPSec Security Method
This group of fields is a must for IPSec Tunnels and L2TP with
IPSec Policy.
Medium
Authentication Header (AH)
means data will be authenticated,
but not be encrypted. By default, this option is active.
High (ESP-Encapsulating Security Payload)-
means payload
(data) will be encrypted and authenticated. Select from below:
DES without Authentication
-Use DES encryption algorithm
and not apply any authentication scheme.
DES with Authentication-
Use DES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
3DES without Authentication
-Use triple DES encryption
algorithm and not apply any authentication scheme.
3DES with Authentication-
Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
AES without Authentication
-Use AES encryption algorithm
and not apply any authentication scheme.
AES with Authentication-
Use AES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
Advanced
Specify mode, proposal and key life of each IKE phase,
Gateway etc.
The window of advance setup is shown as below:
IKE phase 1 mode -
Select from
Main
mode and
Aggressive
mode. The ultimate outcome is to exchange security proposals
to create a protected secure channel.
Main
mode is more secure
than
Aggressive
mode since more exchanges are done in a
secure channel to set up the IPSec session. However, the
Aggressive
mode is faster. The default value in Vigor router is
Page 105 / 173
Vigor2900 Series User’s Guide
99
Main mode.
IKE phase 1 proposal-
To propose the local available
authentication schemes and encryption algorithms to the VPN
peers, and get its feedback to find a match. Two combinations
are available for Aggressive mode and nine for
Main
mode. We
suggest you select the combination that covers the most
schemes.
IKE phase 2 proposal-
To propose the local available
algorithms to the VPN peers, and get its feedback to find a
match. Three combinations are available for both modes. We
suggest you select the combination that covers the most
algorithms.
IKE phase 1 key lifetime-
For security reason, the lifetime of
key should be defined. The default value is 28800 seconds. You
may specify a value in between 900 and 86400 seconds.
IKE phase 2 key lifetime-
For security reason, the lifetime of
key should be defined. The default value is 3600 seconds.
You may specify a value in between 600 and 86400 seconds.
Perfect Forward Secret (PFS)-
The IKE Phase 1 key will be
reused to avoid the computation complexity in phase 2. The
default value is inactive this function.
Local ID -
In
Aggressive
mode, Local ID is on behalf of the IP
address while identity authenticating with remote VPN server.
The length of the ID is limited to 47 characters.
Callback Function
(for I models only)
The callback function provides a callback service as a part of
PPP suite only for the ISDN dial-in user. The router owner
will be charged the connection fee by the telecom.
Require Remote to Callback-
Enable this to let the router to
require the remote peer to callback for the connection
afterwards.
Provide ISDN Number to Remote-
In the case that the
remote peer requires the Vigor router to callback, the local
ISDN number will be provided to the remote peer. Check here
to allow the Vigor router to send the ISDN number to the
remote router. This feature is useful for
i
model only.

Rate

3.5 / 5 based on 2 votes.

Popular DrayTek Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top