Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page
DrayTek

Teleworker VPN - IPsec - The GreenBow VPN Client

Products:
Vigor 2820
Vigor 2830
Vigor 2832
Vigor 2850
Show all

Keywords:
greenbow
ipsec
vpn

The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.

In this example, the remote dial-in user will be connecting via The GreenBow VPN client, which is a 3rd party VPN client http://www.thegreenbow.com/, and will use the following protocols/parameters:

Protocol IKEv1
Encryption Method AES256
Authentication SHA-1
Key Group DH Group 14 (2048-bit)

 

The GreenBow client is able to use either Main Mode or Aggressive Mode to connect:

Main Mode - This uses the router's global pre-shared key for dial-in users for all dial-in users connecting with IPsec.

Aggressive Mode - This uses a pre-shared key set per user account and the user identifies with its Peer ID setting. This is regarded as being slightly cryptographically less secure than main mode but does make it possible to manage multiple users.


 

A Remote Dial-In User VPN connection needs to have a profile configured first so that the router will allow the connection type and the pre-shared key. To configure that, go to [VPN and Remote Access] > [Remote Dial-In User] and on that page, click on the first available Index number:


That will go into the profile for that Dial-In user - because this is a Main Mode connection, the only settings needed for this connection type are enabling the account and enabling IPsec on it, the Username and Password configured will not be used for an IPsec connection:


Click OK to save the settings on that page then go to [VPN and Remote Access] > [IPsec General Setup], on that page, the Pre-Shared Key for the IPsec connection can be configured. It's also possible to select which encryption types are allowed, in this example, only AES is selected - the other encryption types would be rejected by the router:


Click OK to save the settings for and go into The GreenBow client software, go into the configuration mode by pressing Ctrl+Enter.

On that window, go to IKE V1 and click on the tunnel creation wizard:

Select "A router or a VPN gateway", then click Next:

Set the IP Address of the router and the Pre-Shared Key that was configured on the router. Set the Network Address of the router's LAN Subnet; in this case, the router's IP is 192.168.1.1 with a Subnet Mask of 255.255.255.0, so the resulting network address is 192.168.1.0. Click Next once that is set:

That will move onto the last page of the wizard, click Finish to add the connection into The GreenBow.

At this stage, the VPN should be set up sufficiently to connect, the latter images show how to configure the security settings used by The GreenBow.


In The GreenBow's configuration page, click on Ikev1Gateway and on the Authentication tab, set the security settings as shown:

Once that is set, go into Ikev1Tunnel to set the same IKE settings for the Phase 2 settings.

Also correct the Remote LAN Address and Subnet Mask if they appear to be incorrect:

Go to Configuration and select Save to save the changes to that tunnel's settings:

Go back to the connection window of The GreenBow and the newly created tunnel should show, double click on that to start the connection:

Once it has connected, it should give an indication of that in the lower right corner of the screen and show as connected in the connection window:

It should now be possible to use the VPN connection.

A Remote Dial-In User VPN connection needs to have a profile configured first so that the router will allow the connection type and the pre-shared key. To configure that, go to [VPN and Remote Access] > [Remote Dial-In User] and on that page, click on the first available Index number:


That will go into the profile for that Dial-In user - because this is an Aggressive Mode VPN setup, the profile needs to be Enabled, IPsec Tunnel needs to be selected as a Dial-In Type and the Peer ID and Local ID settings need to be configured.

This example uses "RemoteDialInUser" as the Peer ID but this can be any string of text such as a username, if required. The Local ID is set to "Router" as that does need to be set for The GreenBow to connect an aggressive mode VPN:


Click OK to save the settings for and go into The GreenBow client software, go into the configuration mode by pressing Ctrl+Enter.

On that window, go to IKE V1 and click on the tunnel creation wizard:

Select "A router or a VPN gateway", then click Next:

Set the IP Address of the router and the Pre-Shared Key that was configured on the router. Set the Network Address of the router's LAN Subnet; in this case, the router's IP is 192.168.1.1 with a Subnet Mask of 255.255.255.0, so the resulting network address is 192.168.1.0. Click Next once that is set:

That will move onto the last page of the wizard, click Finish to add the connection into The GreenBow.

At this stage, the VPN should be set up sufficiently to connect, the latter images show how to configure the security settings used by The GreenBow.


In The GreenBow's configuration page, click on Ikev1Gateway and on the Authentication tab, set the security settings as shown:

Once that is set, go into Ikev1Tunnel to set the same IKE settings for the Phase 2 settings.

Also correct the Remote LAN Address and Subnet Mask if they appear to be incorrect:

Go to the Advanced tab and enable Aggressive Mode. The Local and Remote ID settings are configured in this window, they are set to match what was set on the router, the type should be set to DNS:

Go to Configuration and select Save to save the changes to that tunnel's settings:

Go back to the connection window of The GreenBow and the newly created tunnel should show, double click on that to start the connection:

Once it has connected, it should give an indication of that in the lower right corner of the screen and show as connected in the connection window:

It should now be possible to use the VPN connection.

 


How do you rate this article?

1 1 1 1 1 1 1 1 1 1




Add a comment to this article

In the below box, you can add comments which you consider might be helpful to other users reading this article:

(As you'd like it to appear on the comment)


NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.