IKEv2 EAP VPN - Vigor Router to Perfect Privacy
We will introduce how to create IKEv2 EAP VPN tunnel from Vigor Router to Perfect Privacy VPN server in this document.
Perfect Privacy Setup
1. Create and activate an account via https://www.perfect-privacy.com
2. Download the Perfect Privacy Root CA certificate from https://www.perfect-privacy.com/downloads/ipsec_ca.zip
3. Select a VPN-Server: https://www.perfect-privacy.com/de/customer/download/ipsec?system=draytek
Vigor-Router Setup
1. Go to Certificate Management >> Trusted CA Certificate page and click "IMPORT".
2. Click "Choose File" to select the CA certificate file, then click Import.
3. Wait for few seconds. Vigor Router will respond “Import Success” and we can see the Certificate Status is OK.
4. Go to VPN and Remote Access >> IPsec Peer Identity page, edit a profile to add an "identity profile" for Perfect Privacy server. Click Enable this account and select "Accept Any Peer ID".
5. Go to VPN and Remote Access >> LAN to LAN, click on an available "index" number and edit the profile as follows:
a. In Common Settings:
- Give it a profile name and Enable this profile
- Set Call Direction to Dial-Out
- Select WAN interface that the VPN will Dial-Out Through.
b. In Dial-Out Setting:
- Select IPsec Tunnel and "IKEv2"
- Select IPsec EAP as the "VPN server type"
- Enter the VPN server IP address/ Hostname
- Enter the Username and Password. (Username is the mail address you used for applying the Perfect Privacy account)
- Choose Digital Signature and select the IPsec Peer Identity Profile
- Select AES with Authentication as IPsec Security
- Click Advanced button for configuring advanced IKE/ IPsec Settings
In IKE advanced settings page, please configure:
- IKE phase 1 proposal: AES256_SHA1_G14
- IKE phase 2 proposal: AES256_SHA1
- IKE phase 1 key lifetime: 3600
- IKE phase 2 key lifetime: 1200
c. In TCP/IP Network Settings:
- Enter Remote Network IP /Mask as 0.0.0.0/00
- Select NAT for this VPN connection
- Enable Change Default Route to this VPN tunnel option if you want all traffics to go with Perfect Privacy server.
6. After finishing above settings, we can check the VPN status via VPN and Remote Access >> Connection Management page.
We can create Policy Route via Routing >> Load-Balance/Route Policy to define some specific traffic to go via the Perfect Privacy-VPN tunnel.
In addition to Perfect Privacy, VPN configuration is also possible with other VPN providers: