Top Banner

of 10

Dial_Out

Apr 14, 2018

Download

Documents

thangnm
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript

  • 7/30/2019 Dial_Out

    1/10

    Vigor3300 Series Application Note V2.2 47

    11. VPN Dial-out Function

    Suppose the Headquarters in Taipei use a Vigor 3300V, while the branch office in

    Shanghai uses a V2900V. The network administrator requires the employees in branchoffice to access the database in the headquarters through the encrypted VPN tunnel. The

    purpose is to avoid leakage of confidential information.

    Figure 11-1. A scenario architecture graph

    Both sites have a fixed IP address and the connection is initiated from Vigor 3300V

    (Dial-Out) to V2900V (Dial-In).

    Below is a configuration table between Vigor 3300V and V2900V.

    Settings 3300V Headquarters 2900V Branch Office

    WAN IP 220.135.240.207

    PPPoE, fixed IP

    61.31.167.135

    PPPoE, fixed IP

    LAN IP 192.168.33.1 192.168.29.1

    Internal Network 192.168.33.X 192.168.29.X

    Encryption Method DES-SHA1

    Preshared Key 3300

  • 7/30/2019 Dial_Out

    2/10

    Vigor3300 Series Application Note V2.248

    1111..11 EExxaammpplleess aanndd WWeebb CCoonnffiigguurraattiioonnss

    1111..11..11 CCoonnffiigguurraatt iioonnss iinn VViiggoorr22990000VV

    1. Enter V2900V'sthe web page of Vigor2900V, click the VPN and Remote AccessSetup link.

    Figure 11-2. 2900V web configuration

    2. Click the LAN-to-LAN Profile Setup link.

    Figure 11-3. LAN-to-LAN profile setup

  • 7/30/2019 Dial_Out

    3/10

    Vigor3300 Series Application Note V2.2 49

    3. ClickIndex 1 and enter relevant settings for the VPN tunnel to Vigor 3300V. Pleaserefer to Figure 11-4.

    Figure 11-4. Enter relevant VPN setup

    4. On this page there are four sections for relevant VPN setup as below.In the web page, please set Common Setting first.

    Profile Name - Specify a name to this profile. To facilitate easy management and

    differentiation, please type 3300V.

    Call Direction - Specify the call direction to this profile. In this example the

    connection is initiated from V3300V to V2900V, so please select Dial-In.

    Idle Timeout- By default, it is 300 seconds. If the profile connection is idle over the

    threshold of the timer, the router will drop the connection. Please refer to Figure

    12-5.

    Figure 11-5. Common settings in Vigor2900V

    Dial-Out Settings - It deals with relevant settings of Dial-Out connection. In this

    example, we do not need to configure this part.

  • 7/30/2019 Dial_Out

    4/10

    Vigor3300 Series Application Note V2.250

    Figure 11-6. Dial-Out settings in Vigor2900V

    Dial-In Settings - It deals with relevant settings of Dial-In connection, including

    encryption method, preshared key and the WAN IP of remote site.

    Select IPSec Tunnel and enter the WAN IP 220.135.240.207 of Vigor2900V. Press

    the IKE Pre-Shared Key button, and then a window will pop up. Type 3300 (It must

    be identical with 3300V's). Press the Confirm button to finish the configuration of

    IKE Pre-Shared Key. Please refer to Figure 12-7.

    Figure 11-7. Dial-In settings in Vigor2900V

    TCP/IP Network Settings - It deals with the internal network of the remote site, etc.

    In the Network IP andMask fields, enter192.168.33.0 and255.255.255.0

    respectively, and then press OK to finish the configuration. Please refer to Figure

    12-8.

  • 7/30/2019 Dial_Out

    5/10

    Vigor3300 Series Application Note V2.2 51

    Figure 11-8. VPN setup- TCP/IP network settings

    5. After configuration, the router will automatically switch to the LAN-to-LAN ProfilesSetup page. Confirm if the settings are correct. Now the configuration of V2900V is

    completed. Please refer to Figure 11-9.

    Figure 11-9. Table of LAN-to-LAN settings in Vigor2900V

    1111..11..22 CCoonnffiigguurraatt iioonnss iinn VViiggoorr33330000VV

    1. Suppose the internal network inside Vigor 3300V is 192.168.33.X, for detailed setupinstructions please refer to the LAN Setup chapter. EnterVPN \IPSec\Policy Table,

    and click 1. Then press Edit. Please refer to Figure 12-10.

    Figure 11-10. IPSec policy table

  • 7/30/2019 Dial_Out

    6/10

    Vigor3300 Series Application Note V2.252

    2. First you should configure the Default page. In Basic settings, there are three partsusers need to configure.

    Figure 11-11. Default page setup

    In Basic field:

    Name - You can specify a name to this profile. To facilitate easy management and

    differentiation, please type 2900V.

    Preshared Key - Type 3300 (It must be identical with 2900V's).Admin Status - Use the default settings (Enable).

    In Local Gateway field:

    WAN Interface - Vigor 3300V has 4 WAN ports. In this example, we choose WAN1

    to establish the VPN tunnel.

    Network IP / Subnet Mask - It is the internal network of Vigor 3300V. Please enter

    192.168.33.0 /24 (/24 = Mask 255.255.255.0)

    In Remote Gateway field:

    Security Gateway - The WAN IP of Vigor2900V. Please enter61.31.167.135.

    Network IP / Subnet Mask - The internal network of Vigor2900V. Please enter

    192.168.29.0 /24 (/24 = Mask 255.255.255.0).

    3. Access into Advanced page. By default, Vigor 3300V allows des-md5, des-sha1,3des-md5 and 3des-sha1. Change the sequence of des-md5 and des-sha1 so that

    des-sha1 is in first place. Press Apply to finish the configuration.

  • 7/30/2019 Dial_Out

    7/10

    Vigor3300 Series Application Note V2.2 53

    Figure 11-12. Advanced page setup

    4. After configuration, the router will switch to the VPN - IPSec - Policy Table page.Click Initiate.

    Figure 11-13. IPSec policy table

    5. A window for this Dial-Out connection will pop up. Press OK to initiate thistunnel.

    Figure 11-14. The confirmation window

    6. Please wait for 30~60 seconds, and then enter the VPN - IPSec Status page ofVigor 3300V. You will find that this VPN tunnel has been established.

  • 7/30/2019 Dial_Out

    8/10

    Vigor3300 Series Application Note V2.254

    Figure 12-15. VPN - IPSec - Status page

    7. Please enter the CLI andping 192.168.29.1(2900V) to see if there is any response.

    Figure 11-16. Command prompt

    8. If the numbers of Packet In & Packet Out increase, it means there is traffic throughthe VPN tunnel.

    Figure 11-17. The numbers of packet in & packet out

    9. Please enter the main page of Vigor2900V and click VPN ConnectionManagement. And thenyou will find this VPN tunnel has been established.

    Figure 11-18. VPN connection management

  • 7/30/2019 Dial_Out

    9/10

    Vigor3300 Series Application Note V2.2 55

    10. Enter the CLI and ping 192.168.33.1(3300V) to see if there is any response.

    Figure 11-19. Command prompt

    11. If the numbers of Tx Pkts & Rx Pkts increase, it means there is traffic through theVPN tunnel.

    Figure 11-20. The numbers of Tx Pkts & Rx Pkts

    Now the VPN tunnel has been successfully established.

    If you want to keep a permanent connection, please refer to the step 2 the configuration of

    Vigor 3300V and change Admin Status from Enable to Always-On. Before the

    connection is established Vigor 3300V will continuously attempt to initiate VPN tunnel

    every 20 seconds.

    Figure 11-21. The admin status

  • 7/30/2019 Dial_Out

    10/10

    Vigor3300 Series Application Note V2.256