Configuration on the first router (Location A)

Set up DynDNS account

A list of all configured DynDNS registrations is displayed in the DynDNS Update menu. Select the New button to perform additional DynDNS registrations.

  1. Go to Local Services -> DynDNS Client -> DynDNS Update -> New.

Local Services -> DynDNS Client -> DynDNS Update -> New

Proceed as follows:

  1. Under Host Name enter the complete host name as registered with the DynDNS provider, e.g. test1.dyndns.org .

  2. Select the WAN Interface whose IP address is to be propagated over the DynDNS service (e.g. DSL ISP , the interface of the Internet Service Provider).

  3. Enter the User Name as registered with the DynDNS provider.

  4. Enter the Password as registered with the DynDNS provider.

  5. Select the DynDNS Provider with which the above data is registered.

  6. Activate the function Enable update, the DynDNS entry configured here will be activated.

  7. Confirm with OK.

IPSec Peer Configuration

An endpoint of a communication is defined as peer in a computer network.

Select the New button to set up a new IPSec peer.

  1. Go to VPN -> IPSec -> IPSec Peers -> New.

VPN -> IPSec -> IPSec Peers -> New

Proceed as follows to make the settings in the IPSec peer:

  1. Set Administrative Status to Active. The peer is available for setting up a tunnel immediately after saving the configuration.

  2. Enter a Description of the peer that identifies it.

  3. Indicate the remote Peer Address (here, the DynDNS account of the bintec be.IP).

  4. The Peer ID must match the Local ID value of the remote terminal. Select Full Qualified Domain Name (FQDN) and enter an identification for the partner, e.g. be.IP_test2 .

  5. Under Preshared Key enter the password for the encrypted connection.

  6. For IPv4 Address Assignment, select Static .

  7. Deselect the Default Route option.

  8. The Local IP Address is the IP address of the router LAN interface.

  9. Under Remote IP Address enter the partner network to be reached, e.g. 192.168.200.0 and under Netmask enter 255.255.255.0 .

  10. Press OK to confirm your entries.

Phase-1 Profiles

In the Phase-1 Profiles menu, you can define the Phase 1 (IKE) settings. Click on the icon to edit existing entries. Select the New button to create new profiles.

  1. Go to VPN -> IPSec -> Phase-1 Profiles -> New.

VPN -> IPSec -> Phase-1 Profiles -> New

Proceed as follows:

  1. Enter a Description that uniquely defines the type of rule.

  2. Under Proposal Encryption select Blowfish , under Authentication select MD5 . Since at least one proposal must be configured at any one time, the first entry in the list is enabled by default.

  3. Under DH Group select 2 (1024 Bit).

  4. Create a Lifetime for phase 1 keys. For lifetime, enter 900 seconds. For lifetime as volume of processing data, enter 0 KByts.

  5. Select the Authentication method Preshared Keys .

  6. Set the Mode to Aggressive as you use dynamic IP addresses.

  7. Under Local ID Type choose Fully Qualified Domain Name (FQDN) .

  8. Under Local ID Value enter the local ID of the gateway, e.g. be.IP_test1 (set under Peer ID for the Partner).

  9. Click Advanced Settings.

  10. Under Alive Check select Dead Peer Detection (idle).

  11. Define under Block Time how long a peer is blocked for tunnel setups after a phase 1 tunnel setup has failed.

  12. Leave NAT Traversal on Enabled.

  13. Confirm with OK.

Phase-2 Profiles

You can define profiles for phase 2 of the tunnel setup just as for phase 1. Click on the icon to edit existing entries. Select the New button to create new profiles.

  1. Go to VPN-> IPSec -> Phase-2 Profiles -> New.

VPN -> IPSec -> Phase-2 Profiles -> New

Proceed as follows:

  1. Enter a Description that uniquely identifies the profile.

  2. Under Proposal Encryption select Blowfish , under Authentication select MD5 . Since at least one proposal must be configured at any one time, the first entry in the list is enabled by default.

  3. Activate the Use PFS group option and select 2 (1024 bits) .

  4. Define how the Lifetime is defined that will expire before phase 2 SAs need to be renewed. For lifetime, enter 900 seconds. For lifetime as volume of processing data, enter 0 KByts.

  5. Click Advanced Settings.

  6. Set Alive Check to Heartbeats (send & expect) .

  7. Aktivate the option Propagate PMTU.

  8. Confirm with OK.

Copyright© Version 08/2020 bintec elmeg GmbH