DrayTek VigorPro 5300 Router Manual PDF (Setup & Configuration Guide)

Page 136 / 304 Scroll up to view Page 131 - 135

VigorPro5300 Series User’s Guide

128

Wake by

Two types provide for you to wake up the binded IP. If you

choose Wake by MAC Address, you have to type the correct

MAC address of the host in MAC Address boxes. If you

choose Wake by IP Address, you have to choose the correct IP

address.

IP Address

The IP addresses that have been configured in

LAN>>Bind

IP to MAC

will be shown in this drop down list. Choose the

IP address from the drop down list that you want to wake up.

MAC Address

Type any one of the MAC address of the binded PCs.

Wake Up

Click this button to wake up the selected IP. See the following

figure. The result will be shown on the box.

Page 137 / 304

VigorPro5300 Series User’s Guide

129

3.10 VPN and Remote Access

A Virtual Private Network (VPN) is the extension of a private network that encompasses

links across shared or public networks like the Internet. In short, by VPN technology, you

can send data between two computers across a shared or public network in a manner that

emulates the properties of a point-to-point private link.

Below shows the menu items for VPN and Remote Access.

3.10.1 Remote Access Control

Enable the necessary VPN service as you need. If you intend to run a VPN server inside your

LAN, you should disable the VPN service of Vigor Router to allow VPN tunnel pass through,

as well as the appropriate NAT settings, such as DMZ or open port.

The Vigor router will not accept the ISDN dial-in connection if the box of

Enable ISDN

Dial-in

is not checked.

Page 138 / 304

VigorPro5300 Series User’s Guide

130

3.10.2 PPP General Setup

This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP

over IPSec.

Dial-In PPP

Authentication PAP Only

Select this option to force the router to authenticate dial-in

users with the PAP protocol.

PAP or CHAP

Selecting this option means the router will attempt to

authenticate dial-in users with the CHAP protocol first. If the

dial-in user does not support this protocol, it will fall back to

use the PAP protocol for authentication.

Dial-In PPP Encryption

(MPPE Optional MPPE

This option represents that the MPPE encryption method will

be optionally employed in the router for the remote dial-in

user. If the remote dial-in user does not support the MPPE

encryption algorithm, the router will transmit “no MPPE

encrypted packets”. Otherwise, the MPPE encryption scheme

will be used to encrypt the data.

Require MPPE (40/128bits) -

Selecting this option will force

the router to encrypt packets by using the MPPE encryption

algorithm. In addition, the remote dial-in user will use 40-bit

to perform encryption prior to using 128-bit for encryption.

In other words, if 128-bit MPPE encryption method is not

available, then 40-bit encryption scheme will be applied to

encrypt the data.

Maximum MPPE -

This option indicates that the router will

use the MPPE encryption scheme with maximum bits

(128-bit) to encrypt the data.

Mutual Authentication

(PAP)

The Mutual Authentication function is mainly used to

communicate with other routers or clients who need

bi-directional authentication in order to provide stronger

security, for example, Cisco routers. So you should enable

this function when your peer router requires mutual

authentication. You should further specify the

User Name

and

Password

of the mutual authentication peer.

Start IP Address

Enter a start IP address for the dial-in PPP connection. You

should choose an IP address from the local private network.

Page 139 / 304

VigorPro5300 Series User’s Guide

131

For example, if the local private network is

192.168.1.0/255.255.255.0, you could choose 192.168.1.200

as the Start IP Address. But, you have to notice that the first

two IP addresses of 192.168.1.200 and 192.168.1.201 are

reserved for ISDN remote dial-in user.

3.10.3 IPSec General Setup

In

IPSec General Setup,

there are two major parts of configuration.

There are two phases of IPSec.

¾

Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman

parameter values, and lifetime to protect the following IKE exchange, authentication of

both peers using either a Pre-Shared Key or Digital Signature (x.509). The peer that

starts the negotiation proposes all its policies to the remote peer and then remote peer

tries to find a highest-priority match with its policies. Eventually to set up a secure

tunnel for IKE Phase 2.

¾

Phase 2: negotiation IPSec security methods including Authentication Header (AH) or

Encapsulating Security Payload (ESP) for the following IKE exchange and mutual

examination of the secure tunnel establishment.

There are two encapsulation methods used in IPSec,

Transport

and

Tunnel

. The

Transport

mode will add the AH/ESP payload and use original IP header to encapsulate the data

payload only. It can just apply to local packet, e.g., L2TP over IPSec. The

Tunnel

mode will

not only add the AH/ESP payload but also use a new IP header (Tunneled IP header) to

encapsulate the whole original IP packet.

Authentication Header (AH) provides data authentication and integrity for IP packets passed

between VPN peers. This is achieved by a keyed one-way hash function to the packet to

create a message digest. This digest will be put in the AH and transmitted along with packets.

On the receiving side, the peer will perform the same one-way hash on the packet and

compare the value with the one in the AH it receives.

Encapsulating Security Payload (ESP) is a security protocol that provides data

confidentiality and protection with optional authentication and replay detection service.

IKE Authentication Method

This usually applies to those are remote dial-in user or node

(LAN-to-LAN) which uses dynamic IP address and

IPSec-related VPN connections such as L2TP over IPSec

and IPSec tunnel.

Pre-Shared Key -

Currently only support Pre-Shared Key

authentication.

Page 140 / 304

VigorPro5300 Series User’s Guide

132

Pre-Shared Key-

Specify a key for IKE authentication

Confirm Pre-Shared Key-

Confirm the pre-shared key.

IPSec Security Method

Medium

-

Authentication Header (AH) means data will be

authenticated, but not be encrypted. By default, this option is

active.

High

-

Encapsulating Security Payload (ESP) means

payload (data) will be encrypted and authenticated. You may

select encryption algorithm from Data Encryption Standard

(DES), Triple DES (3DES), and AES.

3.10.4 IPSec Peer Identity

To use digital certificate for peer authentication in either LAN-to-LAN connection or

Remote User Dial-In connection, here you may edit a table of peer certificate for selection.

As shown below, the router provides

100

entries of digital certificates for peer dial-in users.

Set to Factory Default

Click it to clear all indexes.

Index

Click the number below Index to access into the setting page

of IPSec Peer Identity.

Name

Display the profile name of that index.

Click each index to edit one peer digital certificate. There are three security levels of digital

signature authentication: Fill each necessary field to authenticate the remote peer. The

following explanation will guide you to fill all the necessary fields.

Rate

Popular DrayTek Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share