< Knowledge Base

IPsec Tunnel in Main Mode between DrayTek Routers

Published On: May 18, 2016 

This article introduces how to set up IPsec Tunnel in Main Mode between two Vigor Routers. Main Mode requires both the VPN peers have a static IP address because it uses the IP address as well for authentication. Before the VPN setup, make sure the routers are connected to the Internet and find out the WAN IP address they have. The following instruction shows the configuration necessary for VPN Server The router awaits connection requests) and VPN Client (the router initiates the connection) to build an IPsec VPN.

VPN Server Setup

1. Create a Dial-In profile for VPN user: Go to VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile

a screenshot of DrayOS

2. Edit the profile as follows:

  • Check Enable this profile
  • Select "Dial-In" for Call Direction
  • a screenshot of DrayOS
  • Allow "IPsec Tunnel" in Dial-In Settings
  • Check Specify Remote VPN Gateway and enter the IP address of VPN Client.
  • Click on IKE Pre-Shared Key and enter the Pre-shared Key
  • At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask
  • Click OK to save,
VPN Client Setup

3. Similarly, create a profile at VPN and Remote Access >> LAN to LAN

  • Give a Profile Name
  • Check Enable this profile
  • Select "Dial-Out" for Call Direction
  • Select "IPsec Tunnel" in Dial-Out Settings
  • Input VPN server's WAN IP or domain name at Server IP/Host Name for VPN
  • Input IKE Pre-Shard Key as the same as what was configured on VPN Server
  • Click on Advanced in IPsec Security Method.
  • a screenshot of VPN profile

4. In IKE Advanced Settings,

  • Select "Main Mode" for IKE phase 1 mode
  • Make sure phase 1 and phase 2 proposal are using the security methods
  • Click OK to save
a screenshot of IKE setup

5 In TCP/IP Network Settings, enter VPN Server's LAN Network in Remote Network IP and Remote Network Mask. Click OK to save the profile

a screenshot of VPN profile

6. To initiate the VPN, go to VPN and Remote Access >> Connection Management, select the VPN profile, and click Dial.

a screenshot of VPN

7. When VPN established successfully, the connection status will be shown.

a screenshot of VPN status
VPN Server Setup

1. Go to VPN and Remote Access >> VPN Profiles and click Add to create a profile as follows:

  • Give a Profile Name
  • Check Enable
  • Leave Auto Dial-Out and For Remote Dial-In User as "Disable"
  • Enter the LAN IP subnet used by the VPN server in Local IP/Subnet Mask
  • Enter the WAN IP address of VPN Client for Remote Host
  • Enter the LAN IP subnet used by the VPN Client r in Remote IP/Subnet Mask
  • Select "Main Mode" for IKE Phase 1
  • Select "PSK" for Auth Type and enter a Preshared Key
  • Click Apply
a screenshot of Vigor3900
VPN Client Settings

2. Similarly, create a profile at VPN and Remote Access >> LAN to LAN as follows:

  • Give a Profile Name
  • Check Enable
  • Enable Auto Dial-Out and select "Always Dial-Out" (so that the router will keep trying to initiate the VPN until it is online.)
  • Select Dial-Out Through as the WAN where VPN Server is on
  • Enter the Local IP subnet used by the VPN Client in Local IP/Subnet Mask
  • Enter the WAN IP address of VPN Server for Remote Host
  • Enter the Local IP subnet used by the VPN Server in Remote IP/Subnet Mask
  • Select "Main Mode" for IKE phase 1
  • Select "PSK" for Auth Type and enter the same Preshared Key as which of VPN Server.
  • Click Apply to save the profile.
a screenshot of Vigor3900

3. As long as the profiles are both enabled, the router will establish the VPN automatically. You may go to VPN and Remote Access >> Connection Management to check its status.

a screenshot of Vigor3900

Related Articles