How to - Establish IPSec VPN Using Vigor Draytek ADSL

How To – Establish IPSec VPN Connection between Cyberoam and Vigor Draytek ADSL


This article describes a detailed configuration example that demonstrates how to set up a net-to-net IPSec VPN connection between Cyberoam and Vigor Draytek ADSL using preshared key to authenticate VPN peers. Throughout the article we will use the network parameters as shown in the diagram below.

Configuration Parameters Cyberoam Draytek

Local Network details Local Network details WAN IP address – 14.15.16.17 WAN IP address – 22.23.24.25 Local Internal Network – 10.5.6.0/24

Local Internal Network – 172.23.0.24

Preshared Key - 0123456789 Preshared Key - 0123456789 Remote Network details Remote Network details Remote VPN server – IP address 22.23.24.25

Remote VPN server – IP address 14.15.16.17

IPSec Connection

Remote Internal Network – 172.23.9.0/24

Remote Internal Network – 10.5.6.0/24

Note: If same subnets are configured at Draytek and Cyberoam then connection will not be established

http://www.cyberoam.com/vpn.html


Step by Step Configuration Draytek ADSL Step 1:

Go to VPN and Remote Access Remote Access Control To allow the VPN traffic through routers, enable services as per following screen:

Step 2:

Go to VPN and Remote Access LAN to LAN Choose an unused profile, e.g. 1. and click Next to continue. The status of unused profile will be “x”


Step 3: Section 1: Common Settings

Enter a Profile Name and enable the profile As Draytek router will always initiate the VPN connection, for Call Direction click “Dial-

Out” and click “Always on” to enable always on VPN tunnel.

Section 2: Dial- Out Settings

Under Type of Server I am calling, click “IPSec Tunnel” and enter WAN IP address of Cyberoam i.e. 14.15.16.17 as Server IP/Host Name

Under IKE Authentication Method, click “Pre-Shared Key” and enter Pre-Shared Key Under IPSec Security Method, click “High (ESP)” Click “Advanced” button


In Advanced settings enter parameters as follows: o IKE phase 1 mode: Main mode o IKE phase 1 proposal: 3DES_MD5_G2 o IKE phase 2 proposal: 3DES_MD5 o IKE phase 1 key lifetime: 28800 o IKE phase 2 key lifetime: 3600 o Perfect Forward Secret: Disable

Section 3: Dial- in Settings:

No configuration is required in this section

Section 4: TCP/ IP Network Settings

Enter following parameters o Remote Network IP – 14.15.16.17 – Cyberoam’s internal network IP o Remote Network Mask - 255.255.255.0

Do not change the default setting of any other parameters. Click “OK” button


Step by Step Configuration Cyberoam Step 4: Create VPN Policy

Go to VPN Policy Create Policy and create VPN Policy with following values: o Policy Name: Draytek o Using Template: None o Keying Method: Automatic o Allow Re-keying: Yes o Key Negotiation Tries: 3 o Authentication Mode: Main Mode o Perfect Forward Secrecy (PFS): No

Phase 1 o Encryption Algorithm: 3DES Authentication Algorithm: MD5 o DH Group (Key Group): 2 (DH1024) o Key life: 28800 sec Phase 2 o Encryption Algorithm: 3DES Authentication Algorithm: MD5 o DH Group (Key Group): 2 (DH1024) o Key life: 3600 sec


Step 5: Create VPN Connection

Go to VPN IPSec Connection Create Connection and specify parameters as follows:

o Connection name: Draytek o Policy: Draytek o Action on restart: Active o Mode: Tunnel o Connection Type: Net to Net o Authentication Type – Preshared Key o Preshared Key: 0123456789 o Local server IP address (WAN IP address) – 14.15.16.17 o Local Internal Network – 10.5.6.0/24 o Remote server IP address (WAN IP address) –22.23.24.25 o Remote Internal Network –172.23.9.0/24 o User Authentication Mode: Disabled o Protocol: All


Step 6: At Draytek site select Connection Management from VPN and Remote Access menu. Under Dial-out Tool, select Cyberoam’s public IP from the dropdown and click “Dial”

button to initiate the connection.


Step 7: At Cyberoam site, under the Connection status indicates that the connection is

successfully activated

Document version:1.0-19/02/2009

Documents

How to - Establish IPSec VPN Using Vigor Draytek ADSL