IPsec Tunnel Main Mode between DrayTek Routers (Client with Dynamic IP)

This article introduces how to set up an IPsec Tunnel in Main Mode between two Vigor Routers when the VPN client uses a dynamic public IP address. When VPN client which is behind NAT, please use IPsec VPN in Aggressive mode instead.

 

 

1. Go to VPN and Remote Access >>IPsec General Setup page and configure the General IPsec Pre-Shared Key. The Pre-Shared Key configured here will be used for authenticating all IPsec Main mode VPN clients which use dynamic IP addresses.

 

 

2. Create a VPN LAN to LAN profile for the peer VPN client router via VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile.

 

 

3. Edit the profile as follows:

 

- Check Enable this profile

- Select Dial-In for Call Direction

- Select the WAN interface that the VPN client will dial In from

- Change Idle Timeout to 0 second

- Allow IPsec Tunnel in Dial-In Settings

 

 

 

- At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask

- Click OK to save the VPN profile.

 

 

1. Similarly, create a profile at VPN and Remote Access >> LAN to LAN

 

- Give a Profile Name

- Check Enable this profile

- Select Dial-Out for Call Direction

- Select the WAN interface that the VPN client will dial out from

- Check Always On

 

 

- Select IPsec Tunnel in Dial-Out Settings

- Input VPN server's WAN IP or domain name at Server IP/Host Name for VPN

- Choose Main mode

- Input IKE Pre-Shard Key as the same as what was configured on VPN Server

- Set phase 1’s Encryption and Authentication you want to use

- Set phase 2’s Security Protocol, Encryption, and Authentication you want to use

- Set phase 1’s and phase 2’s Key Lifetime in IKE Advanced Settings(optional)

 

 

- In TCP/IP Network Settings, enter VPN Server's LAN Network in Remote Network IP and Remote Network Mask

- Click OK to save the profile

 

 

 

After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We can check the VPN status via VPN and Remote Access >> Connection Management page.

 

 

 

1. Go to VPN and Remote Access >> IPsec General Setup page, enter the Preshared Key and select the WAN Profile that the VPN client will dial in from. The Preshared Key configured here will be used for authenticating all the IPsec main mode clients which use dynamic IP addresses. In other words, when there are more than one VPN clients, they need to use the same IPsec Preshared Key as what VPN server configured here.

 

 

 

2. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

 

- In the Basic tab, enter Profile name and Enable this profile

- Leave Auto Dial-Out and For Remote Dial-In User options as Disabled.

- Select the WAN Interface that the VPN Client will dial in from for Dial-Out Through

- Enter the local network IP and subnet of VPN server in Local IP /Subnet Mask

- Use IP 0.0.0.0 in Remote Host (Remote Host IP 0.0.0.0 means this VPN profile accepts any Peer IP address and is suitable when the VPN client is with a dynamic IP address)

- Enter the LAN network of the peer VPN router in Remote IP/ Subnet Mask

- Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode

- Leave Pre-Shared Key as Empty.

- Click Apply to save the profile.

 

 

 

 

1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

 

- In the Basic tab, enter Profile name and Enable this profile

- Enable Auto Dial-Out

- Select the WAN Interface that the VPN Client will dial out the tunnel from Dial-Out Through

- Enter the local network IP and subnet of the VPN client itself in Local IP /Subnet Mask

- Enter the VPN Server's WAN IP or Domain name in Remote Host

- Enter the LAN network of the peer VPN server in Remote IP/ Subnet Mask

- Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode

- Enter the Pre-Shared Key

- Click Apply to save the profile.

 

 

After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We may check the VPN status via VPN and Remote Access >> Connection Management page.