V. VPN (Virtual Private Networking)
ExpiredTeleworker VPN - IPsec - DrayTek Smart VPN Client
The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.
The DrayTek Smart VPN Client software is free for use and can use all protocols that the DrayTek routers currently support such as PPTP, IPsec, L2TP over IPsec and SSL VPN protocols (depending on router model).
In this example, the Smart VPN Client will be used to make an IPsec Tunnel VPN connection to a DrayTek router. When a user dials in to the router, this is authenticated with a global Pre-Shared-Key, which is used by all users connecting from a dynamic or unknown IP address. The use of a global Pre-Shared-Key means that all connections from IP Addresses which do not match specified IP Addresses in existing VPN profiles will be authenticated against the global Pre-Shared-Key instead. It is very important to use a very long random global Pre-Shared-Key.
This connection method provides a secure link to the router and its connected network, without Username and Password authentication. The IPsec Tunnel VPN accesses only the DrayTek Vigor router's network, without passing Internet traffic through the tunnel. If a Username and Password configuration are required to identify user connections then consider L2TP over IPsec instead.
Router Configuration
To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:
Enable the profile and tick IPsec Tunnel as an Allowed Dial-In Type. With only this mode selected, an individual username and password cannot be configured, only the IPsec Pre-Shared Key is used for authentication. Which is configured in the next step:
Click OK on that page to save the settings for that profile, then go to [VPN and Remote Access] > [IPsec General Setup] to set the Pre-Shared Key for the VPN connection - this is entered twice to verify that the Pre-Shared key is correctly entered.
On this page, it's also possible to select which security method is used for teleworker VPN connections, in this example, AES is selected:
Click OK on that page to save and apply the settings.
PC Configuration
Creating an IPsec Tunnel VPN in Windows requires the Windows Firewall to function. The DrayTek Smart VPN Client automatically configures and secures the necessary Windows Firewall policy settings when establishing the tunnel. If the Windows Firewall is disabled, the Smart VPN Client will activate the tunnel but it will not be possible to use the IPsec VPN Tunnel.
Open the DrayTek Smart VPN Client, go to the Profiles section and click Add to create a new VPN profile:
This will open a new window to configure the VPN settings:
In the new profile, set the Profile Name to identify the VPN connection. In this example, the type of VPN is IPsec Tunnel.
The address or host name of the VPN server needs to be specified in the VPN Server IP/Host Name field.
IPSec requires the following settings:
|
My IP |
Select the network interface on the PC that will be used to establish the VPN tunnel |
|
Type of IPSec |
Standard IPSec Tunnel |
|
Remote Subnet |
The Network Address of the network that the VPN tunnel will be established with. |
|
Remote Subnet Mask |
The Subnet Mask in use on the network that the VPN tunnel will be established with |
|
Mainmode Keyexchange Method |
Select DH Group 14. The DH (Diffie Hellman) Group setting controls the complexity of the key used for the IPSec key exchange process |
|
Security Method |
Select High (ESP) |
|
Authentication Method |
Set the Pre-shared Key that is configured on the router under [VPN and Remote Access] > [IPsec General Setup] |
|
Enable PING to keep alive |
This sends pings across the VPN link to keep the tunnel established. Enabling this will keep the tunnel active while the VPN tunnel is established. If this is disabled, there may be a delay when initially using the VPN while the PC establishes the VPN tunnel. |
|
Ping to the IP |
An IP address on the router's network that will always be accessible and responds to pings. This can use the router's LAN IP address |
Click OK to save the settings for the VPN profile.
Establishing the IPsec Tunnel VPN Connection
To use the VPN and establish the IPsec Tunnel link, disconnect from the DrayTek Vigor router's network and establish the VPN at the intended location or using an alternative Internet connection. The router's VPN server cannot respond to connection attempts from its local network.
Select the profile from the list on the main window and click the Active button:
This will pop-up a window to select the network adapter that will be used. The Pre-Shared Key setting is also shown and can be changed if required:
Tick "Don't show this confirmation window..." if these settings will not need to be changed.
Click OK and DrayTek Smart VPN will configure the VPN tunnel.
Once the VPN is connected, the main window will show the status of this VPN configuration:
It will also show the status in the computer's System Tray, which can be used to disconnect the VPN when necessary.
Double-click the green system tray icon to display the SmartVPN client. Alternatively, right click the SmartVPN client system tray icon for quick access to connect/disconnect & statistics options:
Check VPN Status on a Vigor Router
When connected, the VPN status can be viewed on the router in the [VPN and Remote Access] > [Connection Management] section, which will display the connecting IP, the local IP address of the client connected and the protocol that it is using:
How do you rate this article?
- First Published: 23/03/2017
- Last Updated: 22/04/2021