VPN van Prestige 652/650 naar DrayTek Vigor 2300 (en 2200) instellen


referentie Z114B


Dit document bevat alle relevante gegevens (IP-adressen, firmware versies) en instellingen die gebruikt zijn om tussen een DrayTek Vigor 2300 (en 2200) met een Prestige 652H-31 (& 650H-31 3.40(IS.4)) op te zetten. Er wordt verondersteld dat:

Stappen:
  1. Maak met een browser een verbinding met de Vigor.
  2. Controleer het LAN en WAN-adres van de Vigor Vigor: WAN status
  3. Stel de Vigor de PreShared Key (PSK) voor de inkomende verbinding (in dit voorbeeld testtest) en IPSec Security Method op alleen ESP in op Vigor: VPN and Remote Access Setup - VPN IKE / IPSec General Setup
  4. Maak een VPN profiel aan zoals aangegeven op Vigor: VPN and Remote Access Setup - LAN-to-LAN Profile Setup - 1
  5. Vergeet niet de uitgaande PSK in te stellen onder in Vigor: VPN profile Outgoing IKE PreShared Key (niet van toepassing op de 2200)
  6. De instellingen onder zijn optioneel, Vigor: Advance (niet van toepassing op de 2200)
  7. Maak via Telnet een verbinding met de router (dit kan natuurlijk ook met een browser, maar er is vanwege het overzicht hier gekozen om Telnet te gebruiken. Controleer het LAN-adres van de ZyXEL
  8. Pas eventueel het LAN-adres van de ZyXEL aan zodat deze niet overlapt met die van de Vigor in ZyXEL: TCP/IP and DHCP Setup
  9. Controleer het WAN-adres van de ZyXEL uit ZyXEL: Status
  10. Stel de VPN in op ZyXEL: IPSec Setup (de aan te passen gegevens zijn rood.
  11. Stel de geanvanceerde IKE instellingen in op ZyXEL: IKE Setup
Mocht het niet lukken er staan procedures en tips in het VPN debug document.

1. Vigor
DrayWeb

Router Web Configurator

Setup Main Menu

DrayTek Corp.
  • Model
    		•  : Vigor2300
  • Firmware Version
    		•  : v2.5.1
  • Build Date/Time
    		•  : Thu Jan 8 19:34:32.20 2004
  • LAN MAC Address
    		•  : 00-50-7F-04-04-93
        Basic Setup (Setup First)
    >>  Administrator Password Setup
    >>  LAN TCP/IP and DHCP Setup
        Quick Setup
    >>  Internet Access Setup
        Advanced Setup
    >>  Dynamic DNS Setup
    >>  Call Schedule Setup
    >>  NAT Setup
    >>  RADIUS Setup
    >>  Static Route Setup
    >>  IP Filter/Firewall Setup
    >>  VPN and Remote Access Setup
        System Management
    >>  Online Status
    >>  VPN Connection Management
    >>  Configuration Backup / Restoration
    >>  SysLog Setup
    >>  Time Setup
    >>  Management Setup
    >>  Diagnostic Tools
    >>  Reboot System
    >>  Firmware Upgrade (TFTP Server)
    Copyright (c) 2002, DrayTek Corp. All Rights Reserved.


    2. Vigor: WAN status
    > System Management> Online Status <<Main Menu
    System Status
    System Uptime: 0:1:5
    LAN Status Primary DNS   62.177.144.11 Secondary DNS   62.177.144.2
    IP Address TX Packets RX Packets
    192.168.3.100
    WAN Status GW IP Addr   172.31.31.31
    Mode IP Address TX Packets TX Rate RX Packets RX Rate Up Time
    DHCP Client 172.31.31.37 40 74 289 363 0:01:04
    >>Drop PPPoE or PPTP


    3. Vigor: VPN and Remote Access Setup - VPN IKE / IPSec General Setup

    Vigor 2300:

    > Advanced Setup > VPN IKE / IPSec General Setup << Main Menu
    VPN IKE/IPSec General Setup << Back

    Dial-in Set up for Remote Dial-in users and Dynamic IP Client (LAN to LAN).
    IKE Authentication Method
    Pre-Shared Key
    Re-type Pre-Shared Key
    IPSec Security Method
    Medium (AH)
         Data will be authentic, but will not be encrypted.

    High (ESP)         DES    3DES    AES
         Data will be encrypted and authentic.

      


    Voor de 2200 (firmware 2.5) ziet het er als volgt uit

    > Advanced Setup > VPN IKE / IPSec Setup << Main Menu
    VPN IKE/IPSec Setup << Back

    Dial-in Set up
    IKE Authen! tication Method
    Pre-Shared Key
    Re-type Pre-Shared Key
    IPSec Security Method
    Medium (AH)
         Data will be authentic, but will not be encrypted.

    High (ESP)
         Data will be encrypted and authentic.

    ! Dial-out Set up
    IKE Authentication Method
    Pre-Shared Key
    Re-type Pre-Shared Key
    IPSec Security Method
    << LAN-to-LAN Dialer Profiles
      


    4. Vigor: VPN and Remote Access Setup - LAN-to-LAN Profile Setup - 1

    Vigor 2300:

    > Advanced Setup> LAN-to-LAN Profile Setup <<Main Menu
    Profile Index : 1 <<Back |  Clear | 

    1. Common Settings
      Profile Name
       Enable this profile
      Call Direction Both Dial-Out Dial-In
    Always on
      Idle Timeout     second(s)
    Enable PING to keep alive
      PING to the IP   
    2. Dial-Out Settings
      Type of Server I am calling
    PPTP
    IPSec Tunnel
    L2TP with IPSec Policy

      Server IP/Host Name for VPN.
      (such as draytek.com or 123.45.67.89)
        
      Username
      Password
      PPP Authentication
      VJ Compression On Off
      IPSec Security Method
       Medium(AH)
       High(ESP)
      Scheduler (1-15)
        
    3. Dial-In Settings
      Allowed Dial-In Type
    PPTP
    IPSec Tunnel
    L2TP with IPSec Policy

       Specify Remote VPN Gateway
      Peer VPN Server IP
      or Peer ID
      Username
      Password
      VJ Compression On Off
      IPSec Security Method
       Medium (AH)
       High (ESP)
             DES    3DES    AES
    4. TCP/IP Network Settings
      My WAN IP
      Remote Gateway IP
      Remote Network IP
      Remote Network Mask
         
      RIP Direction
      RIP Version
      For NAT operation, treat remote sub-net as
      Change default route to this VPN tunnel

    Voor de 2200 ziet het er als volgt uit (en stappen 5 en 6 zijn niet van toepassing):

    > Advanced Setup > LAN-to-LAN Dialer Profile Setup << Main Menu
    Profile Index : 1 << Back |  Clear | 

    1. Common Settings
      Profile Name
       Enable this profile
      Call Direction Both Dial-Out Dial-In
    Always on
      Idle Timeout     second(s)
    Enable PING to keep alive
      PING to the IP   
    2. Dial-Out Settings
      Username
      Password
      Server IP/Host Name for VPN.
      (such as 5551234, draytek.com or 123.45.67.89)
        
      Type of Server I am calling
    ISDN PPTP
    IPSec Tunnel
    L2TP with IPSec Policy
       Medium(AH)
       High(ESP)
      Link Type
      PPP Authentication
      VJ Compression On Off
      Scheduler (1-15)
        
      Callback Function (CBCP)
       Require Remote to Callback
       Provide ISDN Number to Remote
    3. Dial-In Settings
      Username
      Password
       Enable CLID Authentication
      Peer VPN Server IP
      Allowed Dial-In Type
    ISDN PPTP
    IPSec Tunnel
    L2TP with IPSec Policy
      Link Type
      PPP Authentication
      VJ Compression On Off
      Callback Function (CBCP)
       Enable Callback Function
       Use the Following Number to Callback
        Callback Number
      Callback Budget  minute(s)
    4. TCP/IP Network Settings
      My WAN IP
      Remote Gateway IP
      Remote Network IP
      Remote Network Mask
         
      RIP Direction
      RIP Version
      For NAT operation, treat remote sub-net as
      Change default route to this VPN tunnel


    5. VPN: profile Outgoing IKE PreShared Key
    IKE Authentication Method
    Pre-Shared Key
    Re-type Pre-Shared Key





    6. Vigor: Advance
    IKE advance settings
    IKE phase 1 mode Main mode Aggressive mode
    IKE phase 1 proposal
    IKE phase 1 key lifetime (900 ~ 86400)
    IKE phase 2 key lifetime (600 ~ 86400)
    Perfect Foward Secret Disable Enable
    Local ID





    7. ZyXEL

     De isntructies gaan uit van toegang met Telnet of de serieële poort.

    
Menu 24.2.1 - System Maintenance - Information

   Name:
    Routing: IP
    ZyNOS F/W Version: V3.40(IU.2) | 9/4/2003
    ADSL Chipset Vendor:  Alcatel, Version  3.9.122
    Standard: Multi-Mode

   LAN
    Ethernet Address: 00:a0:c5:56:ac:03
    IP Address: 192.168.1.1
    IP Mask: 255.255.255.0
    DHCP: Server

                Press ESC or RETURN to Exit:


    8. ZyXEL: TCP/IP and DHCP Setup

     
                Menu 3.2 - TCP/IP and DHCP Setup

           DHCP Setup
            DHCP= Server
            Client IP Pool Starting Address= 192.168.1.33
            Size of Client IP Pool= 32
            Primary DNS Server= 0.0.0.0
            Secondary DNS Server= 0.0.0.0
            Remote DHCP Server= N/A
           TCP/IP Setup:
            IP Address= 192.168.1.1
            IP Subnet Mask= 255.255.255.0
            RIP Direction= None
            Version= N/A
            Multicast= None
            IP Policies=
            Edit IP Alias= No

             Press ENTER to Confirm or ESC to Cancel:


    9. ZyXEL: Status

     
                         Menu 24.1 - System Maintenance - Status
00:38:54
                                                      Sat. Jan. 01, 2000

Node-Lnk Status      TxPkts      RxPkts      Errors  Tx B/s  Rx B/s     Up
Time
 1-ENET  Up            2650        3545           0       0       0     0:31:44
 2       N/A              0           0           0       0       0     0:00:00
 3       N/A              0           0           0       0       0     0:00:00
 4       N/A              0           0           0       0       0     0:00:00
 5       N/A              0           0           0       0       0     0:00:00
 6       N/A              0           0           0       0       0     0:00:00
 7       N/A              0           0           0       0       0     0:00:00

     My WAN IP (from ISP): 172.31.31.38

    Ethernet:                                    WAN:
      Status:                  Tx Pkts: 3716       Line Status: Up
      Collisions: 0            Rx Pkts: 3296       Upstream Speed:   864 kbps
    CPU Load =    1.89%                            Downstream Speed: 8064 kbps
                                 Press Command:
                      COMMANDS: 1-Reset Counters  ESC-Exit


    10. ZyXEL: IPSec Setup

     
                                Menu 27.1.1 - IPSec Setup

          Index #= 1        Name= 2300
          Active= Yes       Keep Alive= No
          Local ID type= IP         Content= 172.31.31.38
          My IP Addr= 0.0.0.0
          Peer ID type= IP          Content= 172.31.31.37
          Secure Gateway Address= 172.31.31.37
          Protocol= 0       DNS Server= 0.0.0.0
          Local:  Addr Type= SUBNET
              IP Addr Start= 192.168.1.0      End/Subnet Mask= 255.255.255.0
                 Port Start= 0                End= N/A
          Remote: Addr Type= SUBNET
              IP Addr Start= 192.168.3.0      End/Subnet Mask= 255.255.255.0
                 Port Start= 0                End= N/A
          Enable Replay Detection= No
          Key Management= IKE
          Edit Key Management Setup= Yes

                    Press ENTER to Confirm or ESC to Cancel:


    11. ZyXEL: IKE Setup

     
                                Menu 27.1.1.1 - IKE Setup

      Phase 1
        Negotiation Mode= Main
        PSK= testtest
        Encryption Algorithm= DES
        Authentication Algorithm= MD5
        SA Life Time (Seconds)= 28800
        Key Group= DH1

      Phase 2
        Active Protocol= ESP
        Encryption Algorithm= DES
        Authentication Algorithm= MD5
        SA Life Time (Seconds)= 3600
        Encapsulation= Tunnel
        Perfect Forward Secrecy (PFS)= None

                    Press ENTER to Confirm or ESC to Cancel: