IPsec Tunnel Aggresive Mode between DrayTek Routers
IPsec VPN in Main mode use the IP address as peer identity (ID) for Peer authentication; therefore, it's not a solution if both the VPN peers don't have static IP addresses. In such cases, can establish the IPsec VPN in Aggressive mode instead. This document introduces how to set up IPsec Tunnel in Aggressive mode between two Vigor Routers.
VPN Server (Dial-in Site) Setup
1. On the VPN server, create a Dial-in profile for VPN client: Go to VPN and Remote Access >> LAN to LAN, click on an available profile index to edit it. In Common Settings,
- enter a Profile Name
- check Enable this profile
- set Call Direction to “Dial-in.”
2. In Dial-In Settings,
- make sure Allowed Dial-in Type has IPsec enabled,
- enable Specify Remote VPN Gateway and enter Peer ID,
- click on IKE Pre-Shared Key and enter the Pre-shared Key,
- select the IPsec Security Methods that are allowed to use.
3. In TCP/IP Network Settings, specify VPN Client's LAN network for Remote Network IP and Remote Network Mask. Click OK to save the profile.
VPN Client (Dial-out Site) Setup
4. On VPN client, create a Dial-out profile to VPN server: Go to VPN and Remote Access >> LAN to LAN, click on an available index to add a new profile. In Common Settings:
- enter a Profile Name,
- check Enable this profile,
- set Call Direction to Dial-Out.
5. In Dial-out Setting,
- select IPsec Tunnel for Type of Sever I am Calling,
- enter VPN Server's WAN IP or domain name in Server IP/Host Name for VPN,
- click IKE Pre-Shared Key and enter the same pre-shared key as VPN Server,
- click on Advanced in IPsec Security Method.
6. In IKE advanced settings, select "Aggressive Mode" for IKE phase 1 mode, enter Local ID as the same as Peer ID on VPN Server.
7. In TCP/IP Network Settings, specify VPN Server's LAN Network for Remote Network IP and Remote Network Mask. Click OK to save the profile.
VPN Tunnel Establishment
To initiate the VPN connection, go to VPN and Remote Access >> Connection Management page on VPN Client, select the profile to VPN Server and click Dial.
If all the settings match, the VPN should establish, and the statistics will appear at VPN and Remote Access >> Connection Management.
VPN Client (Dial-Out) Setup
1. Go to VPN and Remote Access >> VPN Profile >> IPsec click Add to add a new profile:
- In the Basic tab, enter the Profile name
- Check Enable
- Select "Enable" for Auto Dial-Out and select "Always Dial-Out"
- Enter Local IP / Subnet Mask as the LAN network on this router which you want to link to the remote network
- Enter VPN Peer's WAN IP in Remote Host
- Enter Remote IP/ Subnet Mask as the LAN IP of VPN peer
- Select Aggressive Mode
- Enter Local ID
- Enter Remote ID
- Enter Pre-Shared Key (It must match the Pre-Shared Key on the VPN Peer)
- Click Apply to save the profile
VPN Server (Dial-In) Setup
2. Similarly, on the VPN Peer, go to VPN and Remote Access >> VPN Profile >> IPsec to add a new profile:
- In the Basic tab, enter the Profile name
- Check Enable
- Leave Auto Dial-Out and For Remote Dial-In User as "Disable"
- Enter Local IP /Subnet Mask as the LAN network on this router
- Enter VPN Peer's WAN IP in Remote Host
- Enter Remote IP/ Subnet Mask as the LAN IP of VPN Peer
- Select Aggressive Mode
- Enter Local ID (It should be the Remote ID on the VPN Peer)
- Enter Remote ID (It should be the Local ID on the VPN Peer)
- Enter Pre-Shared Key as the same as the one in VPN Peer
- Click Apply to save the profile
Establishing the VPN
If all the settings match, the VPN connection will create automatically. In connection status, we will see the IPsec tunnel is up.
Published On: May 18, 2016
Was this helpful?