Expired

V. VPN (Virtual Private Networking)

Expired

Managing VPNs with DrayTek Central VPN Management

Products:

Show all

Keywords:

Show all

DrayTek Central VPN Management

Central VPN Management simplifies the configuration of VPN tunnels between a DrayTek Vigor router at a central site and remote sites with DrayTek Vigor routers using the TR-069 protocol.
The VPN connections are managed and monitored visually from the central site so that any changes to VPN connectivity between sites can be quickly noticed and resolved.

With USB storage connected to the central router, Central VPN Management can also perform automated and scheduled tasks, such as firmware upgrades and configuration backups for the Vigor routers at remote sites, from the Central VPN Management router.

DrayTek's Central VPN Management can manage up to 8-16 routers (depending on router model) from a single router; larger networks can use the VigorACS-SI Central Management system to manage more DrayTek Vigor routers at remote sites.

DrayTek routers that support Central VPN Management

DrayTek Vigor Routers	Manages up to
DrayTek Vigor 2860	8 Vigor Routers
DrayTek Vigor 2925	8 Vigor Routers
DrayTek Vigor 2952	8 Vigor Routers
DrayTek Vigor 3220	8 Vigor Routers
DrayTek Vigor 2960	12 Vigor Routers
DrayTek Vigor 3900	16 Vigor Routers

All DrayTek Vigor routers that have VPN functionality and support TR-069 management, essentially all DrayTek routers from the Vigor 2820 series onwards, can be managed by Central VPN Management as clients.

Central VPN Management Functionality

VPN Management	Configure VPN tunnels quickly with a visual representation of VPN tunnels connecting the Central Site router and Remote Site routers
Managed Devices List	View details of Vigor routers connected to Central VPN Management
CPE Maintenance	Perform configuration backup/restoration and firmware upgrades as scheduled tasks
Google Map	View Vigor routers connected on a map, based on their location
Logs & Alerts	View logs of connections, disconnections and outcomes of scheduled tasks

Initial Setup

Initial Setup for Central VPN Management

This tab explains the initial setup.

The setup of Central VPN Management requires the following steps before the system can be used to manage the remote Vigor routers:

Enable Central VPN Management on Central Site router
Configure Remote Site routers
Select and Identify Vigor routers to manage

1. Enable Central VPN Management

To enable Central VPN Management on the router at the central site, go to [Central VPN Management] > [General Setup], or if the router has a Central Management menu, go to Central Management > [VPN] > [General Setup]

Enable the CVM SSL Port so that the router will operate as the Central VPN Management router. In this guide, only the CVM SSL Port is enabled so that connections made for Central VPN Management are encrypted. Using CVM without SSL / Encryption should only be used for diagnostics.

The Password will need to be specified, which is used by remote site routers to connect to the CVM router.
The username can also be changed if required, but in this example the default of "acs" will be used.

Click OK to save and apply the changes.

The WAN IP shown highlighted is for display purposes only and generates the URL that clients will be connecting to. In this example, the CVM router has a hostname that clients can connect to. Setting the option to "MANUALLY" instead of the WAN interface, allows the hostname to be specified, which then generates the URL in green text:

With the preferred WAN interface selected or a hostname specified, highlight the second line of green text and copy the required URL to the clipboard.

2. Configure Remote Site routers

To connect Vigor routers at remote sites, access the web interface of each remote router and go to [System Maintenance] > [TR-069 Setting], then configure these settings:

ACS Server On - Internet
URL - Paste the URL from the CVM router or enter https://[IP address/Hostname]:8443/ACSServer/services/ACSServlet
Password - The password configured on the CVM router in [Central VPN Management] > [General Setup]
Enable the CPE Client and set it to HTTPS
Enable the Periodic Inform Settings and leave the Interval Time on its default of 900 seconds

Click OK to save and apply the settings. It will then try to connect to the CVM router.

Central VPN Management also needs the TR-069 Server to be enabled on client routers. To do that, go to [System Maintenance] > [Management] and enable "Allow Management from the Internet" with the "TR-069 Server" option enabled:

Click OK on the Management settings page to apply the change, which will prompt to restart the router, click OK again to restart the router so that the TR-069 management interface is activated.

Repeat these steps for each router that will be connecting to Central VPN Management.

3. Select and Identify Vigor routers to manage

With the TR-069 details entered on the Vigor routers at each remote site, the routers should begin appearing in Central VPN Management. Routers that have connected to CVM will appear in [Central VPN Management] > [CPE Management] in the Managed Devices List tab.

These will initially appear in the Unmanaged Devices List:

To select the routers for management and identify them:

Check the tickbox for each router
Enter a Description Name for the remote router
Enter a Location for the router, in the form of a Postcode (i.e. WD61GW) or Town/City name so that it can be located in the Map section

Click Add to add those routers to the Managed Devices List:

With the routers showing in Central VPN Management's CPE Management section, the Central VPN Management router can manage those routers, to create VPN tunnels to the CVM router, monitor their status and perform scheduled tasks / firmware upgrades, all through the main DrayTek Vigor router at the central site.

The VPN Management section details how to set up VPN connections using Central VPN Management.

The Managing Routers section gives an overview of what the Central VPN Management system can monitor and how to modify the locations and names of the remote site routers.

VPN Management

Managing VPNs with Central VPN Management

This section explains how to manage VPN tunnels using Central VPN Management and use Central VPN Management to create a new VPN tunnel.

Once a router has been setup for Central VPN Management, a VPN to the central site can be quickly configured on it using the VPN Management menu. This means that there is no need to manually configure a VPN tunnel on each router, and greatly simplifes the process.

Central VPN Management shows a visual representation of the network of DrayTek routers in the [Central VPN Management] > [VPN Management] section, with different connecting line colours / types indicating the type and state of the VPN connections:

Holding the mouse over an item will display additional details. In this example, the VPN details are showing as "???" because no VPN has been created yet.

Active VPN connections are displayed in the CPE VPN Connnection List.

When creating IPsec VPN connections between sites, the CVM router will use the settings configured in [Central VPN Management] > [General Setup], in the IPsec VPN Settings tab. It is recommended to set these before making VPN connections to remote sites:

IPsec Mode	This should be set to Main mode, which requires both sides to have a public facing IP address without NAT
Security Method	This should be configured as ESP so that the tunnel is encrypted. AH mode provides authentication but does not encrypt the tunnel
Encryption Type	With the Security Method set to "ESP", this should be set to AES
Local Subnet	Set this to the subnet on the CVM router that remote sites will need to connect to

Click OK to save and apply that setting change on the CVM router.

To make a VPN connnection between the Central VPN Management router and a Vigor router at a remote site, click on the router and select the type of VPN to create:

IPsec	This is the recommended VPN type to use where possible. It requires both sites to have a fixed public IP address
PPTP	This VPN type is now regarded as being less secure than other types of VPN. It should only be used if the remote router doesn't support SSL VPN and does not have a fixed public IP or is behind a NATted Internet connection
SSL	This type of VPN connection is recommended in situations where IPsec will not work well, such as when the remote router's Internet connection is passing through NAT or the public IP address is dynamic
Advanced	This option provides advanced options for each VPN type such as specific encryption levels and can specify additional subnets that would be accessible to the remote site through the VPN tunnel

In this example, both the Central VPN Management router and remote site routers have fixed public IP addresses, so IPsec will be used. Clicking on a router and selecting a VPN option will begin to create the VPN tunnel. Central VPN Management will then pop-up this notice:

Wait for a few minutes and click Refresh to refresh the Central VPN Management display. In this example, all the VPN tunnels have been created and are now active. They are shown in the CPE VPN Connection List.

The green text indicates that the connection is encrypted, black text would indicate an unencrypted tunnel.

The VPN tunnels created can be found in the [VPN and Remote Access] > [LAN to LAN] section as "cvm_MACAddress" tunnels, which can be modified directly on each router if desired:

Monitoring Routers

Monitoring Routers with Central VPN Management

This section explains the monitoring features offered by Central VPN Managment.

Central VPN Management can be used to manage and observe the status of routers at remote sites connected to the Central VPN Management router. It observes whether the routers are on-line or off-line and gives a map view of where the routers are located.

Routers connected to Central VPN Management are displayed in the [Central VPN Management] > [CPE Management] section on the Managed Devices List tab. This shows the descriptive name of the remote router, its Internet connection IP address and a tick or cross icon to represent whether the router is on-line or off-line.

Clicking on a router's image will select it and clicking Edit with a router selected will show additional details for the router:

This displays details of the router at the remote site such as its descriptive "Router Name", its location and firmware details:

If the Location is set for the router, going to the Google Map tab will then display the remote site routers on a map. Mousing over a pin on the map will display information for the device:

The [Central VPN Management] > [Log & Alert] section displays details of connections, disconnections and the outcomes of CPE Maintenance tasks:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1

: First Published: 01/12/2016; Last Updated: 22/04/2021

Share this link