Setting up site-to-site on DrayTek Vigor 3900
- 2 Minutes to read
Setting up site-to-site on DrayTek Vigor 3900
- 2 Minutes to read
Article Summary
Share feedback
Thanks for sharing your feedback!
Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Configuring the tunnel on the DrayTek Management Interface
Open the DrayTek management interface
In the left panel, select VPN and Remote Access, then select VPN Profiles. Select the add to create a new profile
- Under the Basic tab, fill in the following information:
- Auto Dial-Out: Enable; Always Dial-Out
- Dial-Out through: Your WAN interface; Default WAN IP
- Failover: Should remain with the null value.
- Local IP/Subnet Mask: Insert your FW external address and specify the correlating subnets.
- Remote Host: The IP of your NordLayer dedicated server
- Remote ID/Subnet Mask: The default values are 10.6.0.0 and 255.255.240.0/20
- IKE Protocol: IKEv1
- IKE Phase 1: Main Mode
- Auth Type: PSK
- Pre-shared Key: Generate a pre-shared key (we will need this on our end as well)
- Security Protocol: ESP
- Fill in the following information in the Advanced section:
Please be aware that the Phase 1 and Phase 2 values may not be accurately reflected in the screenshots supplied below. For maximum security and stability of the VPN connection, it is advised to configure the Phase 1 SA lifetime to 3600 seconds and the Phase 2 SA lifetime to 28800 seconds
- Phase 1 Key Lifetime: 3600 seconds
- Phase 2 Key Lifetime: 28800 seconds
- Perfect Forward Secrecy Status: Enable
- DPD Status: Enable
- DPD Delay: 30 seconds
- DPD Timeout: 120 seconds
- Ping to Keep Alive: Disable
- Route/NAT Mode: Route
- Source IP: Auto-detect
- Apply NAT Policy: Disable
- Set VPN Default Gateway: Disable
- Netbios Naming Packet: Disable
- Multicast via VPN: Disable
- Rip via VPN: Disable
- Packet Triggered: Enable
- Force UDP Encapsulation: Disable
- Fill in the following information in the GRE section:
- Enable GRE Function: Disable
- Auto Generate GRE Key: Enable
- Fill in with the following information in the Proposal section:
- IKE Phase 1 Proposal: AES 256
- IKE Phase 1 Authentication: SHA1
- IKE Phase 2 Proposal: AWS 256 with auth
- IKE Phase 2 Authentication: SHA1
- Accepted Proposal: Acceptabove
- Leave the checkbox unmarked in the Multiple SAs section. Make sure to enable the profile and click Apply
- If the tunnel is up, the profile will be green in the Connection Management tab:
Ending note:
In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.
Was this article helpful?