< Knowledge Base

IPsec Tunnel in Main Mode between DrayTek Routers

Published On: May 18, 2016 

This article introduces how to set up an IPsec Tunnel in Main Mode between two Vigor Routers when the VPN client uses a dynamic public IP address and when the VPN client uses a static public IP address. When VPN client which is behind NAT, please use IPsec VPN in Aggressive mode instead.

VPN Server Setup - When VPN client uses a Dynamic IP

1. Go to VPN and Remote Access >>IPsec General Setup page and configure the General IPsec Pre-Shared Key. The Pre-Shared Key configured here will be used for authenticating all IPsec Main mode VPN clients which use dynamic IP addresses.

set up the ipsec general preshared key

2. Create a VPN LAN to LAN profile for the peer VPN client router via VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile.

create a IPsec LAN to LAN profile

3. Edit the profile as follows:

  • Check Enable this profile
  • Select Dial-In for Call Direction
  • Select the WAN interface that the VPN client will dial In from
  • Change Idle Timeout to 0 second
  • configure VPN server Common settings
  • Allow IPsec Tunnel in Dial-In Settings
  • configure VPN server dial in settings without specifying remote IP
  • At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask
  • Click OK to save the VPN profile.
  • configure remote network ip and mask in tcpip settings
VPN Server Setup - When VPN client uses a Static IP

1. Create a VPN LAN to LAN profile for the peer VPN client router via VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile.

create a IPsec LAN to LAN profile

2. Edit the profile as follows:

  • Check Enable this profile
  • Select Dial-In for Call Direction
  • Select the WAN interface that the VPN client will dial In from
  • Change Idle Timeout to 0 second
  • configure VPN server Common settings
  • Allow IPsec Tunnel in Dial-In Settings
  • Check Specify Remote VPN Gateway and enter the IP address of the peer VPN Client.
  • Click on IKE Pre-Shared Key and enter the Pre-shared Key
  • configure VPN server dial in settings with specifying remote IP
  • At TCP/IP Network Settings, input the IP subnet used by the VPN Client for Remote Network IP and Mask
  • Click OK to save the VPN profile.
  • configure remote network ip and mask in tcpip settings
VPN Client Setup

1. Similarly, create a profile at VPN and Remote Access >> LAN to LAN

  • Give a Profile Name
  • Check Enable this profile
  • Select Dial-Out for Call Direction
  • Check Always On
  • configure vpn client common settings
  • Select IPsec Tunnel in Dial-Out Settings
  • Input VPN server's WAN IP or domain name at Server IP/Host Name for VPN
  • Input IKE Pre-Shard Key as the same as what was configured on VPN Server
  • Click on Advanced in IPsec Security Method.
  • configure vpn client dial out settings

In IKE Advanced Settings,

  • Select Main Mode for IKE phase 1 mode
  • Make sure phase 1 and phase 2 proposal are using the security methods
  • Click OK to save
configure advanced settings

In TCP/IP Network Settings, enter VPN Server's LAN Network in Remote Network IP and Remote Network Mask. Click OK to save the profile

configure vpn client tcpip settings

After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We can check the VPN status via VPN and Remote Access >> Connection Management page.

check vpn status
VPN Server Setup - When VPN client uses a Dynamic IP

1. Go to VPN and Remote Access >> IPsec General Setup page, enter the Preshared Key and select the WAN Profile that the VPN client will dial in from. The Preshared Key configured here will be used for authenticating all the IPsec main mode clients which use dynamic IP addresses. In other words, when there are more than one VPN clients, they need to use the same IPsec Preshared Key as what VPN server configured here.

set up the ipsec general preshared key

2. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

  • In the Basic tab, enter Profile name and Enable this profile
  • Leave Auto Dial-Out and For Remote Dial-In User options as Disabled.
  • Select the WAN Interface that the VPN Client will dial in from for Dial-Out Through
  • Enter the local network IP and subnet of VPN server in Local IP /Subnet Mask
  • Use IP 0.0.0.0 in Remote Host (Remote Host IP 0.0.0.0 means this VPN profile accepts any Peer IP address and is suitable when the VPN client is with a dynamic IP address)
  • Enter the LAN network of the peer VPN router in Remote IP/ Subnet Mask
  • Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
  • Leave Pre-Shared Key as Empty.
  • Click Apply to save the profile.
  • configure VPN server dial in settings without specifying remote IP
VPN Server Setup - When VPN client uses a Static IP

1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

  • In the Basic tab, enter Profile name and Enable this profile
  • Leave Auto Dial-Out and For Remote Dial-In User options as Disabled.
  • Select the WAN Interface that the VPN Client will dial in from for Dial-Out Through
  • Enter the local network IP and subnet of VPN server in Local IP /Subnet Mask
  • Enter the VPN Peer's WAN IP in Remote Host
  • Enter the LAN network of the peer VPN router in Remote IP/ Subnet Mask
  • Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
  • Enter the Pre-Shared Key for the VPN Client/ this Static IP
  • Click Apply to save the profile.
  • configure VPN server dial in settings with specifying remote IP
VPN Client Setup

1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:

  • In the Basic tab, enter Profile name and Enable this profile
  • Enable Auto Dial-Out
  • Select the WAN Interface that the VPN Client will dial out the tunnel fromDial-Out Through
  • Enter the local network IP and subnet of the VPN client itself in Local IP /Subnet Mask
  • Enter the VPN Server's WAN IP or Domain name in Remote Host
  • Enter the LAN network of the peer VPN server in Remote IP/ Subnet Mask
  • Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
  • Enter the Pre-Shared Key
  • Click Apply to save the profile.
  • configure vpn client

After finishing the above configurations, VPN Client shall dial up the IPsec tunnel automatically. We may check the VPN status via VPN and Remote Access >> Connection Management page.

check vpn status

Was this helpful?     


Related Articles