Jan 24

Configuration of DI-LB604 (Local)

Note: This FAQ if for firmware version 1.01 or later. The current firmware version 1.01 does not support an IPSec VPN Server for roaming users.

Step 1: Open your web browser and type in the IP address of the D-Link DI-LB604 router (192.168.0.1 by default). Enter the username (admin by default) and password (no password by default), and then click OK.

Step 2: Select the Home tab and click on IPSec.

DI-LB604-IPSec-1

Step 3: Configure the IPSec VPN client as followed:
Tunnel Name: enter a name for the VPN
Tunnel State: check to enable
Connection Type: select Static
WAN Binding: select the WAN source
Local IP / Subnet: enter the local IP and subnet of the DI-LB604 (192.168.3.0/255.255.255.0 in this example)
Remote IP / Subnet: enter the remote IP and subnet of the remote device (192.168.0.0/255.255.255.0 in this example)
Remote Gateway: enter the remote gateway (172.68.140.140 in this example)
Key Method: AutoKey (IKE)
Preshared Key: enter the preshared key (This key must match with the IPSec Server.)
Local ID (Option): leave as NONE
Remote ID (Option): leave as NONE
Click Apply and click Continue.

DI-LB604-IPSec-2

Step 4: Click Continue Setup and configure the Proposals as followed:
Phase 1
Negotiation Type: Main Mode
DH Group: DH Group 2 (1024-bit)
Encryption Method: 3DES
Authentication Method: SHA1
SA Lifetime: 28800 (default)

Phase 2
Encapsulation Format: ESP
Encryption Method: 3DES
Authentication Method: SHA1
Perfect Forward Secrecy: DH Group 2 (1024-bit)
Key Lifetime: 3600 (default)

Advanced
NetBIOS Broadcast: enabled by default
NAT Traversal: check to enable
Auto Reconnected: check to enable
IKE Keep Alive (Ping): enter the default gateway of the IPSec Server
Click Apply and click Continue.

Configuration of DI-LB604 (Remote)

Step 1: Open your web browser and type in the IP address of the DI-LB604 router (192.168.0.1 by default). Enter the username (admin by default) and password (no password by default), and then click OK.

Step 2: Select the Home tab and click on IPSec.

Step 3: Configure the IPSec VPN client as followed:
Tunnel Name: enter a name for the VPN
Tunnel State: check to enable
Connection Type: select Static
WAN Binding: select the WAN source
Local IP / Subnet: enter the local IP and subnet of the DI-LB604 (192.168.0.0/255.255.255.0 in this example)
Remote IP / Subnet: enter the remote IP and subnet of the remote device (192.168.3.0/255.255.255.0 in this example)
Remote Gateway: enter the remote gateway (172.140.140.140 in this example)
Key Method: AutoKey (IKE)
Preshared Key: enter the preshared key (This key must match with the IPSec Server.)
Local ID (Option): leave as NONE
Remote ID (Option): leave as NONE
Click Apply and click Continue.

Step 4: Click Continue Setup and configure the Proposals as followed:
Phase 1
Negotiation Type: Main Mode
DH Group: DH Group 2 (1024-bit)
Encryption Method: 3DES
Authentication Method: SHA1
SA Lifetime: 28800 (default)

Phase 2
Encapsulation Format: ESP
Encryption Method: 3DES
Authentication Method: SHA1
Perfect Forward Secrecy: DH Group 2 (1024-bit)
Key Lifetime: 3600 (default)

Advanced
NetBIOS Broadcast: enabled by default
NAT Traversal: check to enable
Auto Reconnected: check to enable
IKE Keep Alive (Ping): enter the default gateway of the IPSec Server
Click Apply and click Continue.

DI-LB604-IPSec-4

Step 5: Click Tunnel test. The tunnel should now be connected. To verify, click on the Status tab and click on IPSec Stats.

DI-LB604-IPSec-6

Note: The unit that initiates the connection will have Initiator (Quick): established as the Negotiation Status.

Be Sociable, Share!

Tags: , ,

6 Comments

  • At 2012.02.14 07:29, eevans said:

    Thank you for this. I am VERY new to networking (“Hey, our IT guy left and you build PC’s so you’re our new IT guy!”) and could use a little clarification with concrete examples.

    Using your example, I was able to establish a connection between my two D-Link LB604 routers, and am able to ping one from the other, but am unable to ping server nor access network drives on server from our branch location.

    My home office:
    IP: 24.xxx.173.49 (static)
    Sub: 255.255.255.0
    Gateway: 24.xxx.173.1
    Router: 192.168.1.254 (port 1723 forwarded to Server)
    24 Port Cisco Network Switch: 192.168.1.19
    SBS 2008 Server: 192.168.1.102
    Client Machines on: 192.168.1.150-211

    Branch office:
    IP: 24.yyy.186.123 (static)
    Sub: 255.255.255.240
    Gateway: 24.yyy.186.121
    Router: 192.168.3.1
    No server, just client machines on 192.168.3.111-204

    Can you offer me any instruction?
    Thank you in advance,
    eevans

    • At 2012.04.03 10:36, eevans said:

      I just went with Cisco products and everything works now.
      Bye D-Link!

    • At 2012.02.20 14:56, Juan Lopez said:

      Hi!
      I’m trying to connect my office to a new warehouse we have, I have two LB604 and configured as you explain on the page, but it never conclude the phase 2, this is what I see on the logs

      2012/02/20 14:53:48 Info. ike Phase1 Initiator(Main) : 1st
      [Remote(189.249.73.113:500), Local(189.254.39.210:500 Wan2)]
      2012/02/20 14:53:48 Info. ike Start with Main mode
      [Remote(189.249.73.113:500), Local(189.254.39.210:500 Wan2)]
      2012/02/20 14:53:48 Info. ike Start phase1 negotiation
      [Remote(189.249.73.113:500), Local(189.254.39.210:500 Wan2)]
      2012/02/20 14:53:48 Info. ike Phase1 SA not found, start negotiation
      [Remote(189.249.73.113:0), Local(189.254.39.210:0 Wan2)]
      2012/02/20 14:53:48 Info. ike DPD : Tunnel cicovisa phase1 expired or idle, try bring it up ..
      2012/02/20 14:53:48

      Can you see if I’m doing something wrong? by the way I upgraded the routers to version 1.02

      • At 2012.02.23 02:16, baquar said:

        at the time of installing i found this error ICMP target host on the remote net in DI-LB604 please can any one teel my about this

        • At 2012.02.23 06:39, baquar said:

          i get this error at the time of configuring ipsec in d-link DI_LB604 router (ICMP target host is not on the remote net ) can any one please help get out of this.

          • At 2013.01.13 10:19, francisco said:

            the error “ICMP target host is not on the remote net”

            is for “IKE Keep Alive (Ping)”

            CHANGE THIS FOR IP ON THE REMOTE SITE


            (Required)
            (Required, will not be published)

            css.php