Multisite VPN koneksi cabang dengan Draytek Vigor

fankychristian - August 13, 2013
Multisite VPN dengan Draytek Vigor merupakan solusi simple dan terjangkau untuk komunikasi antara Cabang, cukup dengan menggunakan koneksi Speedy di cabang Anda.  Hubungi kami untuk keperluan ini.


VPN LAN to LAN : Three-Sided Communication

This document introduces how to create a LAN to LAN connection for Multiple VPN clients using IPSec Main mode with static IP address, and to let the branch offices communicate through HQ office. Following is the scenario.
1.Scenario


VPN configuration on Vigor3900 for Branch office A

1. Go to LAN-to-LAN option page.

2. Select IPSec service.
3. Add new Profile.

2.LAN-to-LAN Profiles


4. Enable the profile and set the name (e.g., Branch A).

5. “Always On” can be disabled since the Vigor3900 is in the Dial-In direction (the host).
6. Select PSK for authentication type.
7. Set the Preshared Key (It must be the same key as the clients’.).
8. Set the Local IP as LAN network IP “192.168.1.0” to ensure the communication between the branch offices will be connected permanently(Firmware version should be 1.0.6 or above.).
9. Enter the WAN IP of the remote side in Remote Host.
10. Enter the LAN IP of the remote side in Remote IP/Subnet Mask.

3.IPSec


You can follow the same steps as above to create a new profile for Branch B. Please make sure that you set the correct WAN and LAN IP addresses for Branch B.



VPN configuration on Vigor2820

1. Create a LAN-to-LAN profile.

2. The followings are the settings to create a permanent VPN connection.
3. Enable the profile by checking the box.
4. The Vigor2820 will be set as a client, and the call direction is “Dial-Out”.
5. Enable “Always on” for a permanent VPN connection.

4.Common Settings


6. Now navigate to the second step Dial-Out Settings.

7. Select the IPSec service.
8. Set the Server WAN IP of the remote side.
9. Set the PSK by clicking IKE Pre-Shared Key.
10. Select “High (ESP)” for higher security.

5.Dial-Out Settings


11. Now navigate to the TCP/IP Network Settings.

12. Set the LAN IP of the remote side in Remote Network IP.

6.Network Settings


The “More Route” function allows more connections with other branch offices through the Vigor3900. To activate it, please click “more” and follow the setting below.

1. Set the LAN IP address of the other branch office.

2. Add it to the Remote Network.

7.Profile Index3


For the CPE in Branch B, the steps are similar to the setting for Branch A. Please make sure that the correct LAN IP address is set in the “More Route” function.


Once the IPSec tunnel is established between all three devices, you can check the tunnels under theconnection management of each device. You can also use the PING Tool under Diagnostics to check if you can ping the remote side.

Connection management in HQ:

8.Connection Management


Connection management in Branch A:

9.VPN Connection Status


Connection management in Branch B:

10.VPN Connection Status



Ping Tool in HQ to Branch A and to Branch B:

11.Ping


12.Ping


Ping Tool in Branch A and Branch B to HQ:

13.Ping Diagnosis


14.Ping Diagnosis

Now the branch offices should be able to reach mutually through the Vigor3900.

From branch A to branch B:

15.Ping Diagnosis


From branch B to branch A:

16.Ping Diagnosis
Tags: