
Application Note for Vigor2200 series VPN function firmware v2.00
16 Nov, 2001

-----------------------------------------------------------------------
New       : DrayTek Vigor2200 series VPN function 
-----------------------------------------------------------------------

Part A. Introduction of DrayTek VPN Solution

DrayTek VPN Solution
1. Remote Access VPN
   A remote access VPN connection is made by a remote access client, or 
a single user computer(Windows 2000), that connects to a private network 
through Draytek Vigor broadband access routers. Draytek Vigor broadband 
access router provides following remote access VPN solution.

- Point-to-Point Tunneling Protocol (PPTP)
  The Point-to-Point Tunneling Protocol (PPTP) encapsulates Point-to-Point 
  Protocol (PPP) frames into IP datagrams for transmission over an IP-based 
  internetwork, such as the Internet or a private intranet.

- Layer Two Tunneling Protocol (L2TP)
  L2TP encapsulates PPP frames to be sent over IP network. The encapsulated 
  PPP frames can be encrypted or compressed.Through its use of PPP, L2TP 
  gains multi-protocol support for protocols such as IPX and Appletalk. PPP 
  also provides a wide range of user authentication options, including CHAP, 
  MS-CHAP and MS-CHAPv2.

- L2TP with IPSec Transport Mode 
  By placing L2TP as payload within an IPSec packet, communications benefit 
  from the standards-based encryption and authenticity of IPSec.

2. LAN-to-LAN VPN Connection
   A LAN-to-LAN VPN connection is made by a router and connects two portions 
of a private network. The VPN server provides a routed connection to the 
network to which the VPN server is attached. Draytek Vigor broadband access 
router supports PPTP, L2TP, L2TP with IPSec and IPSec tunnel mode to make a 
LAN-to-LAN VPN.

The key features for Draytek VPN
- Supports up to 8 links simultaneously
- Provides PPTP, L2TP and L2TP/IPSec for remote access (client-server)
- Provides PPTP, L2TP and L2TP/IPSec and IPSec tunnel mode for Lan to Lan VPN 
  (server-server).
- IPSec
  >Supports IKE for automatic security negotiation and key management
    >>Currently useing pre-shared authentication keys for establishing trust 
      between hosts.
  >Provides DES (56-bit key strength) and 3DES (168-bit key strength) 
   encryption algorithms, and SHA-1 and MD5 integrity algorithms for ESP.
  >Provides SHA-1 and MD5 integrity algorithms for AH.


Part B. Step-by-Step to Setup Draytek VPN Connections

This part will show you how to setup Draytek VPN connections step by step. 
The IPSec tunnel lan-to-lan, L2TP lan-to-lan and L2TP remote dial_in 
connection will be covered.

Application 3. LAN-to-LAN VPN Connection by IPSec Tunnel

Router 1 as a dial-in VPN router has a LAN 192.168.1.0. by NAT and Router 2 
as a dial-out VPN router has a LAN 192.168.2.0. by NAT. Both routers have 
public wan IP by permanent connections or assigned by ISP per ISDN/PPPoE/PPTP
internet access connection.

1. Set-up for Router 1 (Dial-in)
   - Create a LAN-to-LAN Dialer Profile in Advanced Setup
     >Fill Profile Name and enable this profile
     >Set Call Direction to "Dial-in"
     >Select dial-in type "IPSec Tunnel". You can multi-selection dial-in 
      type here.
      Note: You do not need to fill user name and password if you use IPSec 
      tunnel.

     >Configure TCP/IP Network Setting as followings:
      My WAN IP 		0.0.0.0       (Don't care at this point)
      Remote Gateway IP		0.0.0.0       (Don't care at this point)
      Remote Network IP		192.168.2.0
      Remote Network Mask	255.255.255.0
      And set "For NAT operation, treat remote sub-net as" to "Private IP"
   - Setup IKE/IPSec parameters in Advanced Setup>IKE/IPSec Setup page
     Note:This step only necessary if you are going to make a connection by
          L2TP with IPSec Policy("Nice to Have" and "Must") or IPSec Tunnel.
     >Fill in Pre-shared Key for IKE authentication in Dial-in Setup, for 
      example "ABC123".
     >Select Allowed Security Method. If you only enable "High" and select
      "DES witn Authentication" that means you only allow ESP protocol(DES
      encryption with MD5 or SHA1 authentication). The AH or ESP protocol
      (3DES encryption) will be prohibited.
      Note:If you leave Pre-shared Key to blank in Dial-in setup, the dial-in
           function will be disable. Also if all the security methods(Medium
           and High) are not selected, the dial-in function will be disable.

2. Set-up for Router 2 (Dial-out)
   - Create a LAN-to-LAN Dialer Profile
     >Fill Profile Name and enable this profile
     >Set Call Direction to "Dial-out"
     >Fill the server IP you want dial-out in Dial-out Setting. 
      >>Select "IPSec Tunnel" for dial-out type. 
      >>Select security method either Medium(AH) or High(ESP-DES with 
        authentication or 3DES with authentication).
     >Configure TCP/IP Network Setting as followings:
      My WAN IP 		0.0.0.0	      (Don't care at this point)
      Remote Gateway IP		0.0.0.0       (Don't care at this point)
      Remote Network IP		192.168.1.0
      Remote Network Mask	255.255.255.0
      And set "For NAT operation, treat remote sub-net as" to "Private IP"
   - Setup Dial out Pre-shared Key in Advanced Setup>IKE/IPSec Setup page
     Note:This step only necessary if you are going to make a connection by
          L2TP with IPSec Policy("Nice to Have" and "Must") or IPSec Tunnel.
     >Fill in Pre-shared Key for IKE authentication in Dial-out Setup, for 
      example "ABC123".
      Note:If you leave Pre-shared Key to blank in Dial-out setup, the 
           dial-out function will be disable.

Once the set-up is completed. You can ping any host computer in LAN1 from 
LAN2 to verify the VPN configuration is correct. Or you can use VPN 
Connection Management in System Management to directly "Dial-up" or connect 
a VPN from dial-out router(Router 2 in this case). Once the link is up the 
VPN connection status/information will also show in VPN Connection 
Management page. A "Drop" buttom will let you to disconnect the link.

Application 2. LAN-to-LAN VPN Connection by L2TP with or without IPSec

Router 1 as a dial-in VPN router has a LAN 192.168.1.0. by NAT and Router 2 
as a dial-out VPN router has a LAN 192.168.2.0. by NAT. Both routers have 
public wan IP by permanent connections or assigned by ISP per ISDN/PPPoE/PPTP
internet access connection.

1. Set-up for Router 1 (Dial-in)
   - Create a LAN-to-LAN Dialer Profile in Advanced Setup
     >Fill Profile Name and enable this profile
     >Set Call Direction to "Dial-in"
     >Fill Username and Password for dial-in user and select dial-in type 
      "L2TP" in Dial-in Setting. You can multi-selection dial-in type here.
     >Configure TCP/IP Network Setting as followings:
      My WAN IP 		0.0.0.0       (Don't care at this point)
      Remote Gateway IP		0.0.0.0       (Don't care at this point)
      Remote Network IP		192.168.2.0
      Remote Network Mask	255.255.255.0
      And set "For NAT operation, treat remote sub-net as" to "Private IP"
   - Setup IKE/IPSec parameters in Advanced Setup>IKE/IPSec Setup page
     Note:This step only necessary if you are going to make a connection by
          L2TP with IPSec Policy("Nice to Have" and "Must") or IPSec Tunnel.
     >Fill in Pre-shared Key for IKE authentication in Dial-in Setup, for 
      example "ABC123".
     >Select Allowed Security Method. If you only enable "High" and select
      "DES witn Authentication" that means you only allow ESP protocol(DES
      encryption with MD5 or SHA1 authentication). The AH or ESP protocol
      (3DES encryption) will be prohibited.
      Note:If you leave Pre-shared Key to blank in Dial-in setup, the dial-in
           function will be disable. Also if all the security methods(Medium
           and High) are not selected, the dial-in function will be disable.

2. Set-up for Router 2 (Dial-out)
   - Create a LAN-to-LAN Dialer Profile
     >Fill Profile Name and enable this profile
     >Set Call Direction to "Dial-out"
     >Fill Username and Password for dial-out user and fill the server IP 
      you want dial-out Sever IP for VNP field in Dial-out Setting. 
      >>Select "L2TP" for dial-out type with IPSec policy either "None", 
        "Nice to Have" or "Must". 
      >>If IPSec Policy "Nice to Have" or "Must" is selected, select security
        method either Medium(AH) or High(ESP-DES with authentication or 3DES 
        with authentication) for IPSec.
     >Configure TCP/IP Network Setting as followings:
      My WAN IP 		0.0.0.0       (Don't care at this point)
      Remote Gateway IP		0.0.0.0       (Don't care at this point)
      Remote Network IP		192.168.1.0
      Remote Network Mask	255.255.255.0
      And set "For NAT operation, treat remote sub-net as" to "Private IP"
   - Setup Dial out Pre-shared Key in Advanced Setup>IKE/IPSec Setup page
     Note:This step only necessary if you are going to make a connection by
          L2TP with IPSec Policy("Nice to Have" and "Must") or IPSec Tunnel.
     >Fill in Pre-shared Key for IKE authentication in Dial-out Setup, for 
      example "ABC123".
      Note:If you leave Pre-shared Key to blank in Dial-out setup, the 
           dial-out function will be disable.

Once the set-up is completed. You can ping any host computer in LAN1 from 
LAN2 to verify the VPN configuration is correct. Or you can use VPN 
Connection Management in System Management to directly "Dial-up" or connect 
a VPN from dial-out router(Router 2 in this case). Once the link is up the 
VPN connection status/information will also show in VPN Connection 
Management page. A "Drop" buttom will let you to disconnect the link.


Application 3. Remote Dial_in Connection by L2TP with or without IPSec
               (Windows 2000 Pro. to Vigor2200 series)

A Vigor2200 series router as a dial-in VPN server has a LAN 192.168.1.0. by 
NAT and a Windows 2000 host as a dial-out VPN client has an IP address 
assigned by ISP. 

1. Set-up for Vigor2200 Series Router (Dial-in Server)
   - Configure 1st IP Address and Network Mask for NAT usage in Basic Setup>
     LAN TCP/IP and DHCP Setup. Also disable IP routing usage.
   - Configure Quick Setup>Remote Dial-in Access Setup
     >Enable Dial-in Service
     >Set Dial-in Authentication to "PAP or CHAP"
     >Fill start IP address for dial-in user
   - Configure Advanced Setup>Remote Dial-in User Setup
     >Fill in Username and Password for a dial-in user
     >Select dial-in type L2TP in Dial-in Setting and set IPSec Policy to 
      "Nice to Have". That means you allow L2TP with or without IPSec 
      connection.
     >Leave other fields as default settings.
   - Setup IKE/IPSec parameters in Advanced Setup>IKE/IPSec Setup page
     Note:This step only necessary if you are going to make a connection by
          L2TP with IPSec Policy("Nice to Have" and "Must") or IPSec Tunnel.
     >Fill in Pre-shared Key for IKE authentication in Dial-in Setup, for 
      example "ABC123".
     >Select Allowed Security Method. If you only enable "High" and select 
      "DES witn Authentication" that means you only allow ESP protocol(DES 
      encryption with MD5 or SHA1 authentication). The AH or ESP protocol
      (3DES encryption) will be prohibited.
      Note:If you leave Pre-shared Key to blank in Dial-in setup, the dial-in 
           function will be disable. Also if all the security methods(Medium
           and High) are not selected, the dial-in function will be disable.

2. Set-up for Windows 2000 (Dial-out client)
   %Note: The following instruction is very important. Please read carefully.
   Since the default L2TP connection setting of Windows 2000 is always with 
   IPSec and Microsoft's specific Certification Authority(CA) . In order to 
   unenforce L2TP with IPSec and Microsoft's Certification Authority(CA) 
   you must add/setup the registry ProhibitIPSec = 1 in HKEY_LOCAL_MACHINE_/
   SYSTEM/Current Control Set/Services/RasMan/Parameters in the regedit tool. 
   With this setup, you can use L2TP with IpSec or without IPSec depends on 
   the IP security policy assignment. So we suggest you set up the registry 
   ProhibitIpSec = 1, even you just want to use L2TP with IPSec as Windows 
   2000 default setting. You may need to restart computer to active this 
   setting.
   - Add/setup the registry ProhibitIPSec = 1
     >Start -> Run -> regedit -> add ProhibitIpSec and set value =1 in 
      following tree
      HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/RasMan/Parameters
   - Create a IP security policy with DES encryption and MD5 authentication
     Note:This step only necessary if you are going to make a connection by
          L2TP with IPSec Policy("Nice to Have" and "Must") or IPSec Tunnel.
     >Start -> Programs -> Administrative Tools -> Local Security Policy
      Right click on IP Security Policies for Local Machine to select Create 
      IP Security Policy, follow Security Policy Wizard to set up an IP 
      security policy with following settings
      >>Set up an IP filter list to invoke IKE negotiation when you dial out 
        a L2TP connection. For example an IP filter to specify source IP 
        address as My IP address abd destination address as server IP 
        address. Enable Mirrored.
      >>Select "Negotiate Security" in Filter Action with Security Method =
        High (DES for ESP confidentiality and MD5 for ESP integrity)
      >>Select Preshared key for Authentication Methods, Fill the details =
        "ABC123" as we set up in Vigor2200 series Router IKE/IPSec Setup page
      >>Tunnel Setting -> None 
      >>Select "Any Network Connections" in Connection Type"
      Right click on this security policy to assign/Un-assign this policy.
   - Use "Make New Connection " Wizard in Network and Dial-up Connections to 
     create a VPN L2TP Connection dial_up icon. Fill the server IP address in
     IP address for destination.
   - Verify the VPN connection type is correct(L2TP). Windows 2000's default
     setting for VPN connection type is PPTP first. 
     >Right click on VPN connection icon created in previous step and choose
      Properties -> Networking Tag -> Type of VPN Server
   - Verify the PPP Authentication method can match server side (PAP or CHAP)
     >Right click on VPN connection icon and choose Properties -> Security
      Tag -> Advanced(custom setting)
           
   Once the set-up is completed. You can double click the dial-up connection
   icon which you create for L2TP VNP connection. Fill in user name and 
   password as set in Vigor2200 series Router Dial-in User Setup page. If 
   the security policy is assigned, then IKE negotiation will start first. 
   After IKE negotiation, the following packets(L2TP link packet) will be 
   protected by IPSec. This takes a L2TP with IPSec VPN connection. You can 
   use Windows 2000's IP Security Monitor to verify security association is 
   created.(To start IP Security Monitor by Start -> Run "ipsecmon" in 
   Windows 2000). Otherwise(Un-assign Security policy) it is a pure L2TP VPN 
   connection. There is a VPN Connection Management web page to show the VPN
   connection status in Draytek Router Web Configurator.

   Note: Every time you want creat L2TP+IPSec connection, please make sure
         there is no security association between client(Windows 2000) and 
         server(Vigor2200 series) by checking security association in IP 
         Security Monitor. You can clear a security association by unassign
         related security policy in Windows 2000's Local Security Policy 
         tools.
End