IPsec VPN between Amazon VPC and DrayTek Router | DrayTek

IPsec VPN between Amazon VPC and DrayTek Router

This article demonstrates how to establish IPsec VPN tunnel between Vigor Router and Amazon VPC.

Settings of Amazon VPC

1. Login to AWS >> VPC Dashboard >> Virtual Private Network (VPN) >> Site-to-Site VPN Connections

2. Select the VPN > Download Configuration > Generic. IT will download a .txt file containing the details required for the next steps.

a screenshot of downloading the generic ipsec vpn profile from AWS

3. Open the text file with WordPad and note down the Pre-Shared Key.

a screenshot of a text file showing AWS Pre-shared keys

4. Note down the Virtual Gateway IP, which is the WAN IP of the AWS server.

a screenshot of a text file showing AWS' Virtual Private Gateway IP
Settings of Vigor2926

1. Go to VPN and Remote Access >> LAN to LAN, click Profile index to edit a new profile:

  1. Input Profile Name and Enable this profile
  2. Select Dial-Out for Call Direction
  3. Select IPsec Tunnel for Type of Server
  4. Input Amazon VPC's WAN IP at Server IP
  5. Click the IKE Pre-Shared Key button to input the Pre-Shared Key
a screenshot of DrayOS vpn dial out settings

2. Select AES with Authentication for IPsec Security Method and click the Advanced button to open the IKE advanced Settings.

  1. Select AES128_SHA1_G2 for IKE phase1 proposal
  2. Select AES128 SHA1 for IKE phase2 proposal
  3. Enable Perfect Forward Secret
a screenshot of DrayOS IKE advanced settings

3. In TCP/IP Network Settings, enter AWS’s Virtual LAN network IP and Mask in the Remote Network IP and Remote Network Mask then Apply the settings

a screenshot of DrayOS VPN TCPIP settings

4. Wait for 30 seconds, we shall be able to see the VPN tunnel is up in VPN and Remote Access >> Connection Management page. After VPN is up, Vigor Router will route packets to the VPN tunnel, however, it may not receive the reply because AWS blocks the VPN packets by its default policy. You will need to update your AWS’s routing table to include Vigor Router’s LAN network or add/update a security group to pass the traffic to the tunnel. For this step, please contact AWS support for further assistance.

Settings of Vigor3900

1. Go to VPN and Remote Access >> VPN Profile >> IPsec , click Add to add a new profile. In the Basic tab:

  1. Enter Profile name and Enable this profile
  2. Enable Auto Dial-Out
  3. Select the WAN Interface to create the VPN to Amazon VPC for Dial-Out Through
  4. Enter the local network IP and subnet of Vigor Router in Local IP /Subnet Mask
  5. Enter Amazon VPC's WAN IP in Remote Host
  6. Enter your AWS's virtual LAN in Remote IP/ Subnet Mask
  7. Select IKEv1 for the IKE Protocol and select IKE phase1 as Main Mode
  8. Input the Pre-Shared Key
  9. Click Apply to save the profile.
a screenshot of Vigor3900 VPN basic settings.png

2. In the Advanced tab, enable Perfect Forward Secrecy Status.

a screenshot of Vigor3900 VPN advanced settings

3.In the Proposal tab,

  1. Select AES128_G2 for IKE Phase1 Proposal [Dial-Out]
  2. Select SHA1 for IKE Phase1 Authentication
  3. Select AES128with auth for IKE Phase2 Proposal [Dial-Out]
  4. Select SHA1 for IKE Phase2 Authentication
  5. Apply the settings
a screenshot of Vigor3900 IPsev VPN Proposal settings

4. Wait for 30 seconds, we shall be able to see the VPN tunnel is up in VPN and Remote Access >> Connection Management page. After VPN is up, Vigor Router will route packets to the VPN tunnel; however, it may not receive the reply because AWS blocks the VPN packets by its default policy. You will need to update your AWS’s routing table to include Vigor Router’s LAN network or add/update a security group to pass the traffic to the tunnel. For this step, please contact AWS support for further assistance.

Published On: Apr 17, 2019 

Was this helpful?