10. VPN Dial-in Function

10. VPN Dial-in Function
10. VPN Dial-in Function
The basic form of LAN to LAN VPN is to let both routers' internal networks can connect
with each other. Since only one site has a fixed IP address, the VPN tunnel must be
established in one direction (from dynamic-IP site to fixed-IP site). If you want both sites
always initiate the connection automatically, the router with the dynamic IP must be
always online. Otherwise, only one direction can work normally.
Suppose the Headquarters in Taipei uses Vigor 3300V, while the branch office in
Shanghai uses Vigor2900V. The network administrator requires the employees in branch
office to access the database in the headquarters through the encrypted VPN tunnels. The
purpose is to avoid leakage of relevant confidential information which is important. Please
refer to Figure 10-1.
Figure 10-1. A scenario of VPN in dial-in from 2900V
Vigor3300 Series Application Note V2.2
37
Below is a configuration table as below between Vigor 3300V and V2900V.
Settings
3300V Headquarters
2900V Branch Office
WAN IP
220.135.240.207
PPPoE, fixed IP
61.31.167.135
PPPoE, dynamic IP
LAN IP
192.168.33.1
192.168.29.1
Internal Network
192.168.33.X
192.168.29.X
Encryption Method
DES-SHA1
Preshared Key
3300
10.1 Examples and Web Configurations
10.1.1 Configurations in Vigor3300V
1.
Suppose the subnet of Vigor 3300V internal network is 192.168.33.X, for detailed
setup instructions please refer to the LAN Setup chapter. Enter VPN\IPSec\Policy
Table, click 1, and then press Edit. Please refer to Figure 11-2.
Figure 10-2. Edit of policy table 1
2.
First you should enter the Default page. There are three fields on this page.
In Basic field:
Name - You can specify a name to this profile. To facilitate easy management and
differentiation, please type “2900V”.
Preshared Key -Type “3300” (It must be identical with 2900V's).
Admin Status - Use the default settings (Enable).
In Local Gateway field:
WAN Interface - Vigor 3300V has 4 WAN ports. In this example, we choose WAN1
to establish the VPN tunnel.
Network IP / Subnet Mask - It is the internal network of Vigor 3300V. Please enter
192.168.33.0 /24 (/24 = Mask 255.255.255.0).
38
Vigor3300 Series Application Note V2.2
In Remote Gateway field:
Security Gateway - It is about the WAN IP of Vigor2900V. In this example it is not
fixed, so please enter 0.0.0.0.
Network IP / Subnet Mask - It is the internal network of Vigor2900V. Please enter
192.168.29.0 /24 (/24 = Mask 255.255.255.0).
Please refer to Figure 10-3.
Figure 10-3. Web settings of Vigor 3300V
3.
Access into Advanced page. Since the connection is initiated by V2900V, the
encryption method is determined by V2900V. By default Vigor 3300V allows
des-md5, des-sha1, 3des-md5 and 3des-sha1, so no change is required. Just press the
Apply button to finish the configuration. Please refer to Figure 11-4.
Figure 10-4. Advanced settings of Vigor 3300V
Vigor3300 Series Application Note V2.2
39
4.
After configuration, the router will jump switch to the VPN - IPSec - Policy Table
page. Confirm if the settings are correct. Now the setup for 3300V configuration is
completed. Please refer to Figure 10-5.
Figure 10-5. Policy table of Vigor 3300V
10.1.2 Configurations in Vigor2900V
1.
Enter the web page of Vigor2900V, and click the VPN and Remote Access Setup
link. Please refer to Figure 10-6.
Figure 10-6. VPN web of Vigor2900V
2.
40
Click the LAN-to-LAN Profile Setup link. Please refer to 11-7.
Vigor3300 Series Application Note V2.2
Figure 10-7. LAN to LAN settings of Vigor2900V
3.
Click Index 1 to enter relevant settings of the VPN tunnel connected to Vigor 3300V.
Please refer to Figure 10-8.
Figure 10-8. LAN to LAN profiles of Vigor2900V
4.
In the web page, please set Common Setting first.
Profile Name - Specify a name to this profile. To facilitate easy management and
differentiation, please type “3300V”.
Call Direction - Specify the call direction to this profile. In this example the
connection is initiated from V2900V to Vigor 3300V, so please select Dial-Out. In
this example V3300V is not allowed to dial in.
Idle Timeout - By default, it is 300 seconds. If the profile connection is idle over the
threshold of the timer, the router will drop the connection.
Please refer to Figure 10-9.
Figure 11-9. Common settings of Vigor2900V
Vigor3300 Series Application Note V2.2
41
Dial-Out Setting - Select IPSec Tunnel and enter the WAN IP 220.135.240.207 of
Vigor 3300V. Press the IKE Pre-Shared Key button, and then a window will pop
up. Just type 3300 (It must be identical to 3300V's). Press to finish the configuration
of IKE Pre-Shared Key. Then click High (ESP) and select DES with
Authentication (default is DES without Authentication).
Figure 10-10. Dial-out settings of Vigor2900V
Dial-in Setting - you do not need to configure this part.
Figure 10-11. Dial-in settings of Vigor2900V
TCP/IP Network Settings - In the Network IP and Mask field, enter 192.168.33.0
and 255.255.255.0 respectively, and then press “OK” to finish the configuration.
Please refer to Figure 10-12.
42
Vigor3300 Series Application Note V2.2
Figure 10-12. TCP/IP network settings of Vigor2900V
5.
After configuration, the router will automatically switch to the LAN-to-LAN
Profiles Setup page. Confirm if the settings are correct. Now the setup configuration
for of Vigor2900V is completed. Please refer to Figure 11-13.
Figure 10-13. Created profiles of Vigor2900V
6.
Enter the main page of Vigor2900V and click the VPN Connection Management
link. From the pull-down menu, select (3300V) 220.135.240.207, and then press
“Dial”. V2900V will initiate the VPN connection to Vigor 3300V. Please refer to
Figure 11-14.
Figure 10-14. Connection settings of Vigor2900V
Vigor3300 Series Application Note V2.2
43
7.
Please wait about 5~10 seconds, you will find the VPN tunnel has been established.
Please refer to Figure 11-15.
Figure 10-15. Connection status of Vigor2900V
8.
Please enter the CLI and try to ping 192.168.33.1(3300V) to see if there is any
response. Please refer to Figure 11-16.
Figure 10-16. Ping status
9.
If the numbers of Tx Pkts & Rx Pkts increase, it means there is traffic through the
VPN tunnel. Please refer to Figure 11-17.
Figure 10-17. Statistics status
10. Enter the page of Vigor 3300V Web and enter VPN\IPSec\Status, and then you will
find the VPN tunnel has been established. Please refer to Figure 11-18.
44
Vigor3300 Series Application Note V2.2
Figure 10-18. IPSec status
11. Enter the CLI and attempt to ping 192.168.29.1(2900V) to see if there is any
response. Please refer to Figure 11-19.
Figure 10-19. Ping status
12. If the numbers of Packet In & Packet Out increase, it means there are packets passing
is traffic through the VPN tunnel.
Now the VPN tunnel has been successfully established.
Vigor3300 Series Application Note V2.2
45
46
Vigor3300 Series Application Note V2.2
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising