V. VPN (Virtual Private Networking)
Vigor - Example LAN-to-LAN VPN Setup
Above, is a simple example of a VPN between two offices. One in London, the other in Liverpool. Each private LAN is on a private subnet as shown. Those private address ranges are not visible to the internet - they are only reachable through the VPN tunnel, and that tunnel will only carry data to its preset destination.
To configure the routers for the VPN, everything we need to know is available in the diagram above. For simplicity, we are using an example where the receiving office (London) has a fixed/known (static) IP address from the ISP, not a dynamic one (For dynamic DNS, you can use the router's DDNS IP-Posting facility). Also, in our example, only the Liverpool office will initiate VPN tunnels to the London office (not vice-versa) but it can work either way, or both.
It is essential that a different private address range (subnet) is used for each network. If they are the same, local PCs cannot determine when traffic is for the remote network and when to use the router rather than transmit locally. For example, if one network is on 192.168.1.X, the other could be on 192.168.2.X (both with class C 255.255.255.0 subnet masks).
For your own situation, you should draw up a table like this one below (we have filled in our example values). Examine and understand how each piece of information in the table fits into the diagram at the top of the page. :
|LAN Subnet Mask||255.255.255.0||255.255.255.0|
|Router Admin Password||shilton||keegan|
|Public IP Address||184.108.40.206||220.127.116.11|
|VPN Profile Name||Liverpool||London|
|Protocols||PPTP only||PPTP only|
|Pre-Shared Key||n/a (IPSec only)|
NOTE : It is assumed that the routers at both ends are already set up for Internet connectivity; this can be via ISDN, Cable or ADSL. In the case of ISDN, being a dial-up situation rather than Always-On (AO) each office will only be able to connect to the other if that other office is already online (connected to the Internet). If it is not online when contact is attempted, the tunnel cannot be made. You can use the remote activation facility on the Vigor to assist. Of course, a VPN doesn't have to have mutual initiation - i.e. either LAN can start the connection to the other. Also, if one LAN is AO but the other is dial-up, then the dial-up LAN will always be able to initiate the connection to the AO LAN, but the AO LAN will need the dial-up LAN to be already online (connected to the Internet) to start the tunnel. Note also that we use the term 'call' to mean initiation of a VPN to the remote site, but it is not a 'call' in the traditional sense of a telephone/ISDN call.
Setting up the Routers
Before you start, ensure that you have Vigor router firmware 2.00 or later installed; if you have an earlier firmware version, you should download and install the latest firmware before proceeding.
Setting up London's Router (to receive incoming VPN)
As the London office will receive incoming VPN connections from Liverpool, we first need to enable dial-in access. Select >> Remote Access Control Setup from the router's VPN men, and set it as shown below (enabled) and then click OK.
Next, from VPN menu, select >> LAN-to-LAN Dialer Profile Setup and select one of the 16 available profiles. As this profile will allow Liverpool's LAN to access us, we will call the profile "Liverpool". Follow through each of the fields shown below and see how they relate to our original table.
>> 1. Common Settings
>> 3. Dial-in Settings
>> 4. TCP/IP Network Settings
Note how above in "Remote Network IP" we have entered the network address of the remote network (10.1.1.0 in this case), not an IP address of a particular router or PC. This is VERY important. Also, "My Wan IP" and "Remote Gateway" should both be set to 0.0.0.0 as shown.
Setting up Liverpool's Router (to initiate outward VPN)
Firstly, as on the first router, from the main router menu, select >> LAN-to-LAN Dialer Profile Setup and select one of the 16 available profiles. This time, we will call it 'London' as that's where we're calling.
>> 1. Common Settings
>> 2. Dial-out Settings
>> 4. TCP/IP Network Settings
As on the other router, note that in "Remote Network IP" we have entered the network address of the remote network (192.168.1.0 in this case), not an IP address of a particular router or PC. This is VERY important. Also, "My Wan IP" and "Remote Gateway" should both be set to 0.0.0.0 as shown.
That's it ! Both ends of the VPN Tunnel are set up. Now, when a PC in Liverpool tries to access an IP address belonging to a computer in London, the router will initiate the VPN link. You can initially try this by trying to ping a remote PC and checking that the VPN comes up. You can tell the VPN status from the >> VPN Connection Management menu and also the call log ('log -c' from telnet).
Remember that any PC that you wish to contact at the other end must know how to get back to you - i.e. it must have its own default gateway pointing back at his own gateway/VPN server (e.g. its own local Vigor router).
By default, VPN tunnels have a 300 second (5 minute) inactivity timeout. If you want the tunnel 'always on' then you need to set on of the router's to 'always on' which will then always instigate the VPN tunnel (and reconnect automatically if the connection is lost) and the other end needs to have an indefinite timeout (zero) :
'Always On' set on
the calling router.
Indefinite (zero) timeout set
at the other end.
How do you rate this article?
- First Published: 21/03/2013
- Last Updated: 09/12/2015
Add a comment to this article
NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.