Configuration of DI-LB604 (Local)
Note: This FAQ if for firmware version 1.01 or later. The current firmware version 1.01 does not support an IPSec VPN Server for roaming users.
Step 1: Open your web browser and type in the IP address of the D-Link DI-LB604 router (192.168.0.1 by default). Enter the username (admin by default) and password (no password by default), and then click OK.
Step 2: Select the Home tab and click on IPSec.
Step 3: Configure the IPSec VPN client as followed:
Tunnel Name: enter a name for the VPN
Tunnel State: check to enable
Connection Type: select Static
WAN Binding: select the WAN source
Local IP / Subnet: enter the local IP and subnet of the DI-LB604 (192.168.3.0/255.255.255.0 in this example)
Remote IP / Subnet: enter the remote IP and subnet of the remote device (192.168.0.0/255.255.255.0 in this example)
Remote Gateway: enter the remote gateway (172.68.140.140 in this example)
Key Method: AutoKey (IKE)
Preshared Key: enter the preshared key (This key must match with the IPSec Server.)
Local ID (Option): leave as NONE
Remote ID (Option): leave as NONE
Click Apply and click Continue.
Step 4: Click Continue Setup and configure the Proposals as followed:
Phase 1
Negotiation Type: Main Mode
DH Group: DH Group 2 (1024-bit)
Encryption Method: 3DES
Authentication Method: SHA1
SA Lifetime: 28800 (default)
Phase 2
Encapsulation Format: ESP
Encryption Method: 3DES
Authentication Method: SHA1
Perfect Forward Secrecy: DH Group 2 (1024-bit)
Key Lifetime: 3600 (default)
Advanced
NetBIOS Broadcast: enabled by default
NAT Traversal: check to enable
Auto Reconnected: check to enable
IKE Keep Alive (Ping): enter the default gateway of the IPSec Server
Click Apply and click Continue.
Configuration of DI-LB604 (Remote)
Step 1: Open your web browser and type in the IP address of the DI-LB604 router (192.168.0.1 by default). Enter the username (admin by default) and password (no password by default), and then click OK.
Step 2: Select the Home tab and click on IPSec.
Step 3: Configure the IPSec VPN client as followed:
Tunnel Name: enter a name for the VPN
Tunnel State: check to enable
Connection Type: select Static
WAN Binding: select the WAN source
Local IP / Subnet: enter the local IP and subnet of the DI-LB604 (192.168.0.0/255.255.255.0 in this example)
Remote IP / Subnet: enter the remote IP and subnet of the remote device (192.168.3.0/255.255.255.0 in this example)
Remote Gateway: enter the remote gateway (172.140.140.140 in this example)
Key Method: AutoKey (IKE)
Preshared Key: enter the preshared key (This key must match with the IPSec Server.)
Local ID (Option): leave as NONE
Remote ID (Option): leave as NONE
Click Apply and click Continue.
Step 4: Click Continue Setup and configure the Proposals as followed:
Phase 1
Negotiation Type: Main Mode
DH Group: DH Group 2 (1024-bit)
Encryption Method: 3DES
Authentication Method: SHA1
SA Lifetime: 28800 (default)
Phase 2
Encapsulation Format: ESP
Encryption Method: 3DES
Authentication Method: SHA1
Perfect Forward Secrecy: DH Group 2 (1024-bit)
Key Lifetime: 3600 (default)
Advanced
NetBIOS Broadcast: enabled by default
NAT Traversal: check to enable
Auto Reconnected: check to enable
IKE Keep Alive (Ping): enter the default gateway of the IPSec Server
Click Apply and click Continue.
Step 5: Click Tunnel test. The tunnel should now be connected. To verify, click on the Status tab and click on IPSec Stats.
Note: The unit that initiates the connection will have Initiator (Quick): established as the Negotiation Status.
Tags: DI-LB604, IPSec, VPN tunnel
Thank you for this. I am VERY new to networking (“Hey, our IT guy left and you build PC’s so you’re our new IT guy!”) and could use a little clarification with concrete examples.
Using your example, I was able to establish a connection between my two D-Link LB604 routers, and am able to ping one from the other, but am unable to ping server nor access network drives on server from our branch location.
My home office:
IP: 24.xxx.173.49 (static)
Sub: 255.255.255.0
Gateway: 24.xxx.173.1
Router: 192.168.1.254 (port 1723 forwarded to Server)
24 Port Cisco Network Switch: 192.168.1.19
SBS 2008 Server: 192.168.1.102
Client Machines on: 192.168.1.150-211
Branch office:
IP: 24.yyy.186.123 (static)
Sub: 255.255.255.240
Gateway: 24.yyy.186.121
Router: 192.168.3.1
No server, just client machines on 192.168.3.111-204
Can you offer me any instruction?
Thank you in advance,
eevans
I just went with Cisco products and everything works now.
Bye D-Link!
Hi!
I’m trying to connect my office to a new warehouse we have, I have two LB604 and configured as you explain on the page, but it never conclude the phase 2, this is what I see on the logs
2012/02/20 14:53:48 Info. ike Phase1 Initiator(Main) : 1st
[Remote(189.249.73.113:500), Local(189.254.39.210:500 Wan2)]
2012/02/20 14:53:48 Info. ike Start with Main mode
[Remote(189.249.73.113:500), Local(189.254.39.210:500 Wan2)]
2012/02/20 14:53:48 Info. ike Start phase1 negotiation
[Remote(189.249.73.113:500), Local(189.254.39.210:500 Wan2)]
2012/02/20 14:53:48 Info. ike Phase1 SA not found, start negotiation
[Remote(189.249.73.113:0), Local(189.254.39.210:0 Wan2)]
2012/02/20 14:53:48 Info. ike DPD : Tunnel cicovisa phase1 expired or idle, try bring it up ..
2012/02/20 14:53:48
Can you see if I’m doing something wrong? by the way I upgraded the routers to version 1.02
at the time of installing i found this error ICMP target host on the remote net in DI-LB604 please can any one teel my about this
i get this error at the time of configuring ipsec in d-link DI_LB604 router (ICMP target host is not on the remote net ) can any one please help get out of this.
the error “ICMP target host is not on the remote net”
is for “IKE Keep Alive (Ping)”
CHANGE THIS FOR IP ON THE REMOTE SITE
[…] your wireless router acts like a simple ethernet switch. http://www.dlink.cc/d-link-router/how-to-configure-an-ipsec-vpn-tunnel-between-two-d-link-di-lb604.h… Now you can access the setup screen for the wireless router from any computer on your internal […]