1. Home
    2. /
  2. Manuals
    3. /
  3. DrayTek
    4. /
  4. Vigor-2930
    5. /
  5. 28
Page 136 / 298 Scroll up to view Page 131 - 135
Vigor2930 Series User’s Guide
128
The Vigor router will not accept the ISDN dial-in connection if the box of
Enable ISDN
Dial-in
is not checked.
3.9.4 PPP General Setup
This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP
over IPSec.
Dial-In PPP
Authentication PAP Only
Select this option to force the router to authenticate dial-in
users with the PAP protocol.
PAP or CHAP
Selecting this option means the router will attempt to
authenticate dial-in users with the CHAP protocol first. If the
dial-in user does not support this protocol, it will fall back to
use the PAP protocol for authentication.
Dial-In PPP Encryption
(MPPE Optional MPPE
This option represents that the MPPE encryption method will
be optionally employed in the router for the remote dial-in
user. If the remote dial-in user does not support the MPPE
encryption algorithm, the router will transmit “no MPPE
encrypted packets”. Otherwise, the MPPE encryption scheme
will be used to encrypt the data.
Require MPPE (40/128bits) -
Selecting this option will
force the router to encrypt packets by using the MPPE
encryption algorithm. In addition, the remote dial-in user will
use 40-bit to perform encryption prior to using 128-bit for
encryption. In other words, if 128-bit MPPE encryption
method is not available, then 40-bit encryption scheme will
be applied to encrypt the data.
Maximum MPPE -
This option indicates that the router will
use the MPPE encryption scheme with maximum bits
(128-bit) to encrypt the data.
Mutual Authentication
(PAP)
The Mutual Authentication function is mainly used to
communicate with other routers or clients who need
bi-directional authentication in order to provide stronger
security, for example, Cisco routers. So you should enable
this function when your peer router requires mutual
authentication. You should further specify the
User Name
and
Password
of the mutual authentication peer.
Page 137 / 298
igor2930 Series User’s Guide
129
Start IP Address
Enter a start IP address for the dial-in PPP connection. You
should choose an IP address from the local private network.
For example, if the local private network is
192.168.1.0/255.255.255.0, you could choose 192.168.1.200
as the Start IP Address. But, you have to notice that the first
two IP addresses of 192.168.1.200 and 192.168.1.201 are
reserved for ISDN remote dial-in user.
3.9.5 IPSec General Setup
In
IPSec General Setup,
there are two major parts of configuration.
There are two phases of IPSec.
¾
Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman
parameter values, and lifetime to protect the following IKE exchange, authentication of
both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that
starts the negotiation proposes all its policies to the remote peer and then remote peer
tries to find a highest-priority match with its policies. Eventually to set up a secure
tunnel for IKE Phase 2.
¾
Phase 2: negotiation IPSec security methods including Authentication Header (AH) or
Encapsulating Security Payload (ESP) for the following IKE exchange and mutual
examination of the secure tunnel establishment.
There are two encapsulation methods used in IPSec,
Transport
and
Tunnel
. The
Transport
mode will add the AH/ESP payload and use original IP header to encapsulate the data
payload only. It can just apply to local packet, e.g., L2TP over IPSec. The
Tunnel
mode will
not only add the AH/ESP payload but also use a new IP header (Tunneled IP header) to
encapsulate the whole original IP packet.
Authentication Header (AH) provides data authentication and integrity for IP packets passed
between VPN peers. This is achieved by a keyed one-way hash function to the packet to
create a message digest. This digest will be put in the AH and transmitted along with packets.
On the receiving side, the peer will perform the same one-way hash on the packet and
compare the value with the one in the AH it receives.
Encapsulating Security Payload (ESP) is a security protocol that provides data
confidentiality and protection with optional authentication and replay detection service.
IKE Authentication
This usually applies to those are remote dial-in user or node
Page 138 / 298
Vigor2930 Series User’s Guide
130
Method
(LAN-to-LAN) which uses dynamic IP address and
IPSec-related VPN connections such as L2TP over IPSec
and IPSec tunnel.
Certificate for Dial-in
– Choose the one you need.
Pre-Shared Key -
Currently only support Pre-Shared Key
authentication.
Pre-Shared Key-
Specify a key for IKE authentication
Confirm Pre-Shared Key-
Retype the characters to confirm
the pre-shared key.
IPSec Security Method
Medium
-
Authentication Header (AH) means data will be
authenticated, but not be encrypted. By default, this option is
active.
High
-
Encapsulating Security Payload (ESP) means payload
(data) will be encrypted and authenticated. You may select
encryption algorithm from Data Encryption Standard (DES),
Triple DES (3DES), and AES.
3.9.6 IPSec Peer Identity
To use digital certificate for peer authentication in either LAN-to-LAN connection or
Remote User Dial-In connection, here you may edit a table of peer certificate for selection.
As shown below, the router provides
100
entries of digital certificates for peer dial-in users.
Set to Factory Default
Click it to clear all indexes.
Index
Click the number below Index to access into the setting page
of IPSec Peer Identity.
Name
Display the profile name of that index.
Click each index to edit one peer digital certificate. There are three security levels of digital
signature authentication: Fill each necessary field to authenticate the remote peer. The
following explanation will guide you to fill all the necessary fields.
Page 139 / 298
igor2930 Series User’s Guide
131
Profile Name
Type in a name in this file.
Accept Any Peer ID
Click to accept any peer regardless of its identity.
Accept Subject Alternative
Name
Click to check one specific field of digital signature to accept
the peer with matching value. The field can be
IP Address,
Domain,
or
E-mail Address
. The box under the Type will
appear according to the type you select and ask you to fill in
corresponding setting.
Accept Subject Name
Click to check the specific fields of digital signature to accept
the peer with matching value. The field includes
Country
(C), State (ST), Location (L), Organization (O),
Organization Unit (OU), Common Name (CN),
and
Email
(E)
.
Page 140 / 298
Vigor2930 Series User’s Guide
132
3.9.7 Remote Dial-in User
You can manage remote access by maintaining a table of remote user profile, so that users
can be authenticated to dial-in via ISDN or build the VPN connection. You may set
parameters including specified connection peer ID, connection type (ISDN Dial-In
connection, VPN connection - including PPTP, IPSec Tunnel, and L2TP by itself or over
IPSec), corresponding security methods, and etc.
The router provides
100
access accounts for dial-in users. Besides, you can extend the user
accounts to the RADIUS server through the built-in RADIUS client function. The following
figure shows the summary table.
Set to Factory Default
Click to clear all indexes.
Index
Click the number below Index to access into the setting page
of Remote Dial-in User.
User
Display the username for the specific dial-in user of the
LAN-to-LAN profile. The symbol
???
represents that the
profile is empty.
Status
Display the access state of the specific dial-in user.
The
symbol V and X represent the specific dial-in user to be active
and inactive, respectively.
Click each index to edit one remote user profile.
Each Dial-In Type requires you to fill the
different corresponding fields on the right.
If the fields gray out, it means you may leave it
untouched. The following explanation will guide you to fill all the necessary fields.

Rate

4 / 5 based on 3 votes.

Popular DrayTek Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top