VPN Configuration Guide DrayTek Vigor / VigorPro Remote Dial-In User Profile
equinux AG and equinux USA, Inc. Apple, the Apple logo, iBook, Mac, Mac OS, MacBook, PowerBook are trademarks of Apple Computer, Inc., registered in the U.S. and other countries. © 2009 equinux USA, Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of equinux AG or equinux USA, Inc. Your rights to the software are governed by the accompanying software license agreement.
Introduction .....................................................................5 Important Prerequisites.....................................................................................6 Scenario ...................................................................................................................7 Terminology ...........................................................................................................8 My DrayTek Configuration ............................................
Introduction This document describes how VPN Tracker can be used to establish a connection between a Mac running Mac OS X and a DrayTek Vigor/VigorPro firewall/router device. Note This documentation is only a supplement to, not a replacement for, the instructions included with your DrayTek device. Please be sure to read those instructions and understand them before starting. The different DrayTek model / firmware revisions have different VPN capabilities.
Important Prerequisites Your VPN Gateway ‣ This guide applies to DrayTek Vigor/VigorPro devices that have support for IPsec VPN Remote Dial-In User / Teleworker Profiles, these include • Vigor2110 Series • Vigor2200 Series1 • Vigor27002 /2710 Series • Vigor2800/2820 Series • Vigor2910/2930/2950 Series • Vigor3100 Series • VigorPro 5300/5500/5510 Series ‣ Make sure you have the newest available firmware installed on your device Your Mac ‣ VPN Tracker runs on Mac OS X 10.4 or 10.
Scenario In our example, we need to connect an employee's Mac to an office network. The following diagram illustrates this scenario: VPN Connection DrayTek Vigor VPN Gateway Mac running VPN Tracker vpn.example.com Office Network 192.168.13.0 / 255.255.255.0 This guide assumes that the Mac running VPN Tracker already has internet connectivity. The office's DrayTek device (the “VPN gateway”) is also already connected to the Internet and can be accessed through a static IP address or DNS host name.
Terminology A VPN connection is often called a “tunnel” (or “VPN tunnel”). Every VPN tunnel is established between two “endpoints”. In our example one endpoint is VPN Tracker and the other endpoint is the VPN gateway. Each endpoint is called the other endpoint’s “peer”. Please note that for each endpoint, the settings on the other endpoint are considered to be “remote”, while its own settings are considered to be “local”.
My DrayTek Configuration TIP To set up your VPN connection, you'll need to keep track of certain pieces of information. Those details are indicated by red numbers. Throughout this guide we will be referencing those numbers. ➊ Peer ID: ➋ Pre-Shared Key: ➌: LAN IP Address: . . ➍: LAN Subnet Address: . ➎ LAN Network Address: ➏ WAN IP Address: . . . . . . . . .
Task 1 – Configure your DrayTek This section describes the configuration of your DrayTek Vigor VPN router. If you do not yet have VPN configured and in use on your device, please proceed exactly as described in this section. We will be creating a connection using a Remote Dial-in User.
Step 2 - Add a New Remote Dial-In User ‣ Click “Remote Dial-In User” ‣ Remote Access User Accounts: Click on an unused number (e.g. “1.
Step 3 - Configure the New Remote Dial-In User ‣ User Accounts and Authentication ‣ Check the box “Enable this account” ‣ Make sure the Idle Timeout is set to “0” seconds ‣ Allowed Dial-In Type ‣ Check the box “IPsec Tunnel” ‣ If you don’t plan to be using the other options (e.g. PPTP), uncheck them ‣ Check the box “Specify Remote Node” ‣ Peer ID: Enter an identifier for this connection (e.g.
Step 4 - Set the Pre-Shared Key ‣ Click the “IKE Pre-Shared Key” button ‣ Pre-Shared Key: Enter a password for the connection ➋ ‣ Re-type Pre-Shared Key: Enter the same password again ➋ ‣ Click “Confirm” in the pop up window ➋ ➋ ‣ Click “Ok” to save the new Remote Dial-in User.
Step 5 - Retrieve the LAN Settings ‣ Click on the large “Vigor ...
Task 2 – Configure VPN Tracker This section describes how to configure VPN Tracker to connect to your DrayTek. You will need the configuration information you collected during Task 1. ‣ Start VPN Tracker ‣ Click the “+” button in the main window You will be asked to select a device profile for the new connection: ‣ Select “DrayTek” from the list ‣ Select your device from the list of DrayTek devices. ‣ If there is more than one choice, choose “Remote Dial-In User Profile”.
Step 2 – Configure the VPN Connection ‣ VPN Gateway: Enter your DrayTek’s public IP address ➏. If you are using Dynamic DNS, or if the device has a DNS host name, use it instead (in our example, we are using the host name “vpn.example.com”) ‣ Local Address: Can be left empty for now.
Task 3 – Test the VPN Connection This section explains how to start and test your VPN connection. It‘s time to go out! You will not be able to test and use your VPN connection from within the internal network that you want to connect to. In order to test your connection, you will need to connect from a different location. For example, if you are setting up a VPN connection to your office, test it from home.
When you are prompted for your pre-shared key: ‣ Pre-shared key: Enter the pre-shared key that you configured on the VPN gateway ➋ ‣ Optionally, check the box “Store in Keychain” to save the password in your keychain so you are not asked for it again when connecting the next time ➋ ‣ Click “OK” ‣ If the slider goes back to Off after starting the connection, or after entering your pre-shared key, please read the Troubleshooting section of this document ‣ If the slider goes to On and turns green after a wh
Supporting Multiple Users Once your VPN expands to multiple users (or even just yourself connecting from multiple computers simultaneously), there are certain issues you will have to consider. Primarily, you must ensure that IP addresses do not conflict. In addition to purely technical considerations, VPN Tracker makes it easy to distribute pre-configured connections to your users, and prevent the modification of VPN connections and access to confidential data.
Configuring the DrayTek for Multiple Users Adding new VPN users to your DrayTek is easy: For each additional VPN user, simply add a new “Remote Dial-In User” profile, with a different Peer ID, and – if desired – a different pre-shared key. With some DrayTek models and firmware revisions it may be possible for multiple users to share a single Remote Dial-In User Profile. However, it will still be necessary for each of the users of such a shared profile to have a different “Local Address” in VPN Tracker.
Deploying VPN Connections to Your Users VPN Tracker Professional Edition offers a number of ways to easily distribute pre-configured connections to users. It is even possible to create a custom VPN Tracker application that contains a pre-configured connection and a license voucher for your users. ‣ Encryption Password: Exported connections are always encrypted.
Troubleshooting In most cases, your connection should work fine if you follow the instructions above. If you cannot connect, please read on. VPN Connection Fails to Establish On/Off Slider goes back to “Off” right away If the slider goes back to “Off” right away, please make sure you have entered all the required information. VPN Tracker will highlight fields that are missing or obviously incorrect information.
Cannot Access Resources on the Remote Network If the connection slider goes to ON and turns green, but you cannot access resources (servers, email, etc.) in the remote network, please check the following points: Connect by IP address instead of host name If you are not connecting to the resource by IP address (e.g. 192.168.13.42), but are using a host name (e.g. server.example.com), please try using the resource’s IP address instead.
Check if the IP address of the resource is part of the remote network Please make sure that the IP address of the resource that you are connecting to is actually contained in the remote network(s). Also double-check the network mask that you have configured for the remote network(s) in VPN Tracker. Tip The network mask (e.g. 255.255.255.0) determines the size of a network. Some examples: The network 192.168.1.0/255.255.255.0 contains all IP addresses starting with 192.168.1.x. The network 192.168.1.0/255.
Appendix The Role of the Local Address in VPN Tracker The local address is the IP address that your Mac uses in the remote network when connected through VPN. If the Local Address field is left empty, the Mac’s actual local IP address (as shown in System Preferences > Network) is used Advanced Users The Local Address is used as the endpoint of the IPsec Security Association (SA) on the VPN Tracker side that is established in phase 2 of the connection process.
Local Addresses for the More Curious Why can’t I use a Local Address from my DrayTek’s LAN? It may sound a bit unusual to use IP addresses that are not part of the DrayTek’s LAN. The reason for this is that the DrayTek cannot act as a so-called “ARP Proxy” for its VPN clients. Computers on the DrayTek’s LAN therefore must be “tricked” into sending replies for VPN clients to the DrayTek by using IPs from outside the local network (for which replies are sent to the default gateway).