IPSec VPN

With IPSec VPN, you can use the Internet to securely access the network when you are out of home. To use the VPN Service, you need to configure Dynamic DNS Service (recommended) or assign a static IP address for the router’s WAN port. And the System Time should be synchronized with Internet.

Dead Peer Detectionarrow

The table displays information of all configured IPSec VPNs on the router.

To establish an IPSec VPN

1. Click Add.
2. Configure the parameters according to the following explanation.IPSec Connection Name- Enter a name for the IPSec VPN connection.Remote IPSec Gateway Address (URL)- Enter the destination gateway IP address which is the public WAN IP or Domain Name of the remote VPN server endpoint.Tunnel access from local IP addresses- Select Subnet Address if you want the whole LAN to join the VPN network, or select Single Address if you want a single IP to join the VPN network.IP Address for VPN- Enter the IP address of your LAN.Subnet Mask- Enter the subnet mask of your LAN.Tunnel access from remote IP addresses- Select Subnet Address if you want the whole remote LAN to join the VPN network, or select Single Address if you want a single IP to join the VPN network.IP Address for VPN- Enter the IP address of the remote LAN.IP Subnet Mask- Enter the subnet mask of the remote LAN.Key Exchange Method- Select Auto (IKE) or Manual to be used to authenticate IPSec peers.Authentication Method- Select Pre-Shared Key (recommended).Pre-Shared Key- Create a pre-shared key to be used for authentication.Perfect Forward Secrecy- Select Enable (or Disable) the Perfect Forward Secrecy (PFS) as an additional security protocol for the pre-shared key.
3. Configure the advanced settings according to the following explanation. We recommend that you keep the default settings. If you want to change these settings, make sure that both VPN server endpoints use the same Encryption Algorithm, Integrity Algorithm, Diffie-Hellman Group and Key Lifetime in both phase1 and phase2.==Phase 1==Mode- Select Main to configure the standard negotiation parameters for IKE phase1. Select Aggressive to configure IKE Phase 1 of the VPN Tunnel to carry out negotiation in a shorter amount of time. (Not Recommended as it is less secure.)Local Identifier Type- Select the local Identifier type for IKE negotiation. Local WAN IP uses an IP address as the identifier in IKE negotiation. FQDN (Fully Qualified Domain Name) uses a username as the identifier.Local Identifier- The local identifier will be auto-populated if Local WAN IP is selected. If FQDN is selected, enter a username of the local device to be used as the indentifier for IKE negotiation.Remote Identifier Type- Select the remote Identifier type for IKE negotiation. Remote WAN IP uses an IP address as the identifier in IKE negotiation. FQDN uses a username as the identifier.Remote Identifier- The remote gateway IP address will be auto-populated if Remote WAN IP is selected. If FQDN is selected, enter a username of the remote peer to be used as the identifier for IKE negotiation.Encryption Algorithm- Select one of the following encryption algorithm for IKE negotiation.DES- DES (Data Encryption Standard) encrypts a 64-bit block of plain text with a 56-bit key.3DES- Triple DES, encrypts a plain text with 168-bit key.AES128- Uses the AES algorithm and 128-bit key for encryption.AES192- Uses the AES algorithm and 192-bit key for encryption.AES256- Uses the AES algorithm and 256-bit key for encryption.Integrity Algorithm- Select one of the following integrity algorithm for IKE negotiation.MD5- MD5 (Message Digest Algorithm) takes a message of arbitrary length and generates a 128-bit message digest.SHA1- SHA1 (Secure Hash Algorithm) takes a message less than 2^64 (2 to the power of 64) in bits and generates a 160-bit message digest.Diffie-Hellman Group for Key Exchange- Select the Diffie-Hellman group to be used in key negotiation Phase 1. The Diffie-Hellman Group sets the strength of the algorithm in bits.Key Lifetime- Enter the period of time (in seconds) to pass before establishing a new IPSec security association (SA) with the remote endpoint. The default value is 3600.==Phase 2==Encryption Algorithm- Select one of the following encryption algorithm for IKE negotiation.DES- DES (Data Encryption Standard) encrypts a 64-bit block of plain text with a 56-bit key.3DES- Triple DES, encrypts a plain text with 168-bit key.AES128- Uses the AES algorithm and 128-bit key for encryption.AES192- Uses the AES algorithm and 192-bit key for encryption.AES256- Uses the AES algorithm and 256-bit key for encryption.Integrity Algorithm- Select one of the following integrity algorithm for IKE negotiation.MD5- MD5 (Message Digest Algorithm) takes a message of arbitrary length and generates a 128-bit message digest.SHA1- SHA1 (Secure Hash Algorithm) takes a message less than 2^64 (2 to the power of 64) in bits and generates a 160-bit message digest.Diffie-Hellman Group for Key Exchange- Select the Diffie-Hellman group to be used in key negotiation Phase 2. The Diffie-Hellman Group sets the strength of the algorithm in bits.Key Lifetime- Enter the period of time (in seconds) to pass before establishing a new IPSec security association (SA) with the remote endpoint. The default value is 3600.
4. Click Save.

Note: For the comprehensive