When connecting to a VPN server that has multiple LAN network, Vigor Router has the IPsec "More" Remote Subnet feature which allows additional routes over the same IPsec tunnel without creating another IPsec SA (Security Association) for the additional remote networks. However, this mechanism works only between DrayTek Vigor Routers. When connecting to a non-DrayTek VPN server, which requires more IPsec SA for different LAN networks, Vigor3900, has Multiple SA feature since 1.3.0 version firmware, supports negotiating multiple IPSec SAs in IKE phase 2 to establish multiple IPsec tunnels to each subnet in just one VPN profile. This document introduces how to use the IPsec Multiple SA feature.
(This article applies to Vigor3900 and Vigor2960, for other models, please refer to the article here.)
For example, Vigor3900's LAN network is 192.168.1.0/24.
VPN Peer's LAN1 network is 192.168.100.0/24 and LAN2 is 192.168.200.0/24.
1. In Basic tab, we may configure Vigor3900's LAN network (192.168.1.0/24) as Local IP/Subnet Mask and VPN Peer's LAN1 network (192.168.100.0/24) as Remote IP/ Subnet Mask.
2. In Multiple SA tab, input Vigor3900's LAN network for Local IP/ Subnet Mask again and VPN Peer's LAN2 network for Remote IP/ Subnet Mask.
3. We need to configure the similar Multiple SA setting, or create two IPsec VPN dial-in profiles on the remote site Vigor3900.
4. During IPsec connection establishment, Vigor3900 will create two IPsec SA. One is to encrypt the data between network 192.168.1.0/24 and 192.168.100.0/24, the other is to encrypt the data between network 192.168.1.0/24 and 192.168.200.0/24.
For example, Vigor3900's LAN1 network is 192.168.1.1/24 and LAN2 is 192.168.2.1/24.
VPN Peer's LAN network is 192.168.100.1/24.
1. In Basic Tab, we may configure Vigor3900's LAN1 network as Local IP/ Subnet Mask, and VPN Peer's LAN network (192.168.100.0/24) as Remote IP/ Subnet Mask.
2. Then in Multiple SA tab, input Vigor3900's LAN2 network and VPN Peer's LAN network.
4. During IPsec connection establishment, Vigor3900 will create two IPsec SA. One is to encrypt the data between network 192.168.1.0/24 and 192.168.100.0/24, the other is to encrypt the data between network 192.168.2.0/24 and 192.168.100.0/24.
For example, Vigor3900's LAN1 network is 192.168.1.0/24 and LAN2 is 192.168.2.0/24. VPN Peer's LAN1 network is 192.168.100.0/24 and LAN2 network is 192.168.200.0/24.
1. In Basic tab, we may configure Vigor3900's LAN1 network as Local IP/ Subnet Mask, and VPN Peer's LAN1 network (192.168.100.0/24) as Remote IP/ Subnet Mask.
2. In Multiple SA tab, input the following three settings:
-Vigor3900's LAN2 network to VPN Peer's LAN1 network
-Vigor3900's LAN2 network to VPN Peer's LAN2 network
-Vigor3900's LAN1 network to VPN Peer's LAN2 network
3. During the IPsec connection establishment, Vigor3900 will create 4 IPsec SAs. One is to encrypt data between network 192.168.1.0/24 and 192.168.100.0/24; and the rest of them are to encrypt data between network 192.168.1.0/24 and 192.168.200.0/24, network 192.168.2.0/24 and 192.168.100.0/24, and between network 192.168.2.0/24 and network 192.168.200.0/24.
4. Of course, VPN Peer should have a corresponding configurations. Take another Vigor3900 acting as VPN Peer for example, on Basic tab, we may configure LAN network (192.168.100.0/24) as Local IP/ Subnet Mask, and the other Vigor3900's LAN network (192.168.1.0/24) as Remote IP/ Subnet Mask.
5. Then in Mutlple SA tab, input the following three settings:
6. After above configurations, we should see 4 IPsec connections between the two routers. The data transferring between different networks are encrypted with 4 different IPsec SAs.
7. And what could we do if we don't want local network 192.168.2.0/24 to access remote network 192.168.200.0/24? Just remove msa2 in Multiple SAs tab!
The scope of application of privacy protection policy
Personal data collection, processing and use
When you visit this website or use the functional services provided on this website, we will ask your necessary personal information and use it within that specific purpose; without your agreement in writing this website will not use your personal data for any other purpose.
When you use interactive features such as mailboxes and surveys, this site will retain your name, e-mail address, contact information and usage time.
In normal browsing, the server will record the relevant actions, including the IP address of the device you are using, the time of use, the browser you are using, the browsing and data logging, etc., as a reference for our website services. This record for internal applications will not be announced.
Statistics and analysis of collected questionnaires, statistics or descriptive text of the results will be provided for accurate service. In addition to internal research, statistical data and descriptive text will be published if it is necessary. The information published excludes information on specific individuals.
The protection of information
The website hosts are equipped with firewall, anti-virus system and other related information security equipment and the necessary security measures to protect the site and your personal information with strict protection measures. Only authorized personnel can access your Personal data. The relevant processing personnel are signed confidentiality contract, if there is breach of confidentiality obligations, will be subject to the relevant legal punishment.
In the event that it is necessary to entrust other units to provide services for business purposes, the Site will strictly require compliance with the confidentiality obligations and take the necessary inspection procedures to ensure that it will comply.
External links to the site
The policy of sharing personal information with the third party
This website will not provide, exchange, rent or sell any of your personal information to other individuals, groups, private enterprises or public agencies. However the legal basis or contractual obligations are excluded.
The foregoing proviso includes, but not limited to:
The use of Cookie