IPsec Tunnel Main Mode between DrayTek Routers (Client with Static IP)

This article introduces how to set up an IPsec Tunnel in Main Mode between two Vigor Routers when the VPN client uses a static public IP address. When VPN client which is behind NAT, please use IPsec VPN in Aggressive mode instead.

VPN Server Setup

1. Create a VPN LAN to LAN profile for the peer VPN client router via VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile.

2. Edit the profile as follows:

  1. Check Enable this profile
  2. Select Dial-In for Call Direction
  3. Select the WAN interface that the VPN client will dial In from
  4. Change Idle Timeout to 0 second
  5. Allow IPsec Tunnel in Dial-In Settings
  6. Check Specify Remote VPN Gateway and enter the IP address of the peer VPN Client.
  7. Check IKE Pre-Shared Key and enter the Pre-shared Key
  8. At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask
  9. Click OK to save the VPN profile.

VPN Client Setup

1. Similarly, create a profile at VPN and Remote Access >> LAN to LAN

  1. Give a Profile Name
  2. Check Enable this profile
  3. Select Dial-Out for Call Direction
  4. Select the WAN interface that the VPN client will dial out from
  5. Check Always On
  6. Select IPsec Tunnel in Dial-Out Settings
  7. Input VPN server's WAN IP or domain name at Server IP/Host Name for VPN
  8. Choose Main mode
  9. Input IKE Pre-Shard Key as the same as what was configured on VPN Server
  10. Set phase 1’s Encryption and Authentication you want to use
  11. Set phase 2’s Security Protocol, Encryption, and Authentication you want to use
  12. Set phase 1’s and phase 2’s Key Lifetime in IKE Advanced Settings(optional)

In TCP/IP Network Settings, enter VPN Server's LAN Network in Remote Network IP and Remote Network Mask. Click OK to save the profile

After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We can check the VPN status via VPN and Remote Access >> Connection Management page.

VPN Server Setup

1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

  1. In the Basic tab, enter Profile name and Enable this profile
  2. Leave Auto Dial-Out and For Remote Dial-In User options as Disabled.
  3. Select the WAN Interface that the VPN Client will dial in from for Dial-Out Through
  4. Enter the local network IP and subnet of VPN server in Local IP /Subnet Mask
  5. Enter the VPN Peer's WAN IP in Remote Host
  6. Enter the LAN network of the peer VPN router in Remote IP/ Subnet Mask
  7. Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
  8. Enter the Pre-Shared Key for the VPN Client/ this Static IP
  9. Click Apply to save the profile.
  10. a screenshot of Vigor3900 configure VPN server dial in settings with specifying remote IP

VPN Client Setup

1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

  1. In the Basic tab, enter Profile name and Enable this profile
  2. Enable Auto Dial-Out
  3. Select the WAN Interface that the VPN Client will dial out the tunnel fromDial-Out Through
  4. Enter the local network IP and subnet of the VPN client itself in Local IP /Subnet Mask
  5. Enter the VPN Server's WAN IP or Domain name in Remote Host
  6. Enter the LAN network of the peer VPN server in Remote IP/ Subnet Mask
  7. Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
  8. Enter the Pre-Shared Key
  9. Click Apply to save the profile.
  10. configure vpn client on Vigor3900

After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We may check the VPN status via VPN and Remote Access >> Connection Management page.

check vpn status on Vigor3900

Published On: 2016-05-18 

Was this helpful?