D-Link Forums

D-Link VPN Router => DSR-250N => Topic started by: SarahDP on November 07, 2016, 02:41:16 AM

Title: IPSEC BETWEEN TWO DSR-250N
Post by: SarahDP on November 07, 2016, 02:41:16 AM
Hello,
I have two PC and two DSR-250N. Each PC is connecter to its DSR-250N by the LAN port. While DSR-250N are connectet with the WAN port.
How can I configure my IPSEC Policy to connect PC1 to PC2?
Do I have to enable L2TP Server and Client?

Sarah
Title: Re: IPSEC BETWEEN TWO DSR-250N
Post by: FurryNutz on November 07, 2016, 07:06:00 AM
Router:
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)


Internet Service Provider and Modem Configurations

Is there information in the user manual regarding IPSEC configurations on the DSR routers?
Title: Re: IPSEC BETWEEN TWO DSR-250N
Post by: PacketTracer on November 07, 2016, 02:08:25 PM
Hi,

Quote
While DSR-250N are connectet with the WAN port

The WAN ports are not connected to the Internet but are attached to each other 'back to back'? Hence it is a test setup for VPN?

This is a simple model for a typical site-to-site IPsec-VPN, where both boxes operate as IPsec gateways for IPsec in tunnel mode in order to interconnect both LAN networks behind the boxes. Hence not only the two PCs but any PC at the one site can talk to any PC at the other site, as if they were connected by a single router. They aren't even aware of the VPN between them and no extra configuration (such like L2TP) is needed at the PCs beyond what is needed without the VPN.

To make this work you have to make sure that the LAN networks at both sites use different network addresses such like 192.168.1.0/24 and 192.168.2.0/24. In the boxes you have to specify plain IPsec with ESP in tunnel mode without L2TP and without NAT traversal. The peer address for one box is the WAN address of the other box respectvely. For any box you have to specify the remote LAN network behind the other box. Use IKEv1 with Main Mode authenticated via preshared key. Specify the same set of DH groups and security algorithms at both sites.

Later, if you connect the WAN interfaces to the Internet, the public addresses used should be static, hence they can be specified as peer addresses to each other. If one site doesn't have a static public address you need a dynamic DNS service (e.g. Dyn or Freedns) that resolves a fixed DNS name to the present public IP address.  In this case in the other box you would specifiy the peer addresse of type FQDN using that DNS name.

PT