VPN Overview........................ 2 How to configure LAN-to-LAN IPsec VPN on TP-LINK Router........3 How to configure GreenBow IPsec VPN Client with a TP-LINK VPN Router....13 How to configure Shrew Soft VPN IPsec Client with TP-LINK Router......23 How to configure LAN-to-LAN L2TP/PPTP VPN on TP-LINK Router ......34 How to configure a PPTP Server on TP-LINK Router ...........
It is a connection secured by encrypting the data and using point-to-point authentication. As the packets are encapsulated and de-encapsulated in the Router, the tunneling topology implemented by encapsulating packets is transparent to users. The tunneling protocols supported by TP-LINK Routers are as below: Product Model Tunneling Protocol TL-ER6120 IPsec、PPTP、L2TP...
2. How to configure LAN-to-LAN IPsec VPN on TP-LINK Router Suitable for: TL-ER6120, TL-ER6020, TL-ER604W, TL-R600VPN To setup an IPsec VPN tunnel on TP-LINK routers you need to perform the following steps: A. Connecting the devices together B. Verify the settings needed for IPsec VPN on router C.
Page 5
C. Configuring IPsec VPN settings on TL-ER6120 (Router A) Step 1 : On the management webpage, click on VPN then IKE Proposal. Under IKE Proposal, enter Proposal Name whatever you like, select Authentication, Encryption and DH Group, we use MD5,3DES, DH2 in this example.
Page 6
Step 3 : Click on IKE Policy, enter Policy Name whatever you like, select Exchange Mode, in this example we use Main, select IP Address as ID Type. Step 4 : Under IKE Proposal 1, we use test1 in this example. Enter Pre-shared Key and SA Lifetime you want, DPD is disabled.
Page 7
Step 7 : Click on Add. Step 8 : Click on IPsec Policy, enter Policy Name whatever you like, the Mode should be LAN- to-LAN. Enter Local Subnet and Remote Subnet. Step 9 : Select WAN you use and type in Remote Gateway. In this example, the Remote Gateway is Router B’s WAN IP address, 218.18.1.208.
Step 13 : Look for PFS, we set NONE here, under SA Lifetime, enter “28800” or the period you want. Step 14 : Look for Status then select Activate Step 15 : Click on Add. Step 16 : Select Enable then click on Save.
D. Configuring IPsec VPN settings on TL-R600VPN (Router B) Step 1 : Go to IPsec VPN -> IKE, click on Add New Step 2 : Enter Policy Name whatever you like, here we use test2. Exchange Mode, select Main. Step 3 : Authentication Algorithm and Encryption Algorithm are the same with Router A, we use MD5 and 3DES in this example.
Page 10
Step 4 : DH Group, select DH2, the same with Router A. Step 5 : Enter Pre-share Key and SA Lifetime, make sure that they are the same with Router Step 6 : Click on Save. Step 7 : Click on IPsec on left side, click on Add New. Step 8 : Enter Policy Name, we use ipsec2 in this example.
Page 11
Step 10 : Look for Exchange mode, please select IKE, and Security Protocol, we use ESP here. Step 11 : Authentication Algorithm and Encryption Algorithm are the same with Router A, we use MD5 and 3DES in this example. Step 12 : IKE Security Policy, we use test2 in this example. Step 13 : Look for PFS, we set NONE here, under Lifetime, enter “28800”...
(http://www.thegreenbow.com/vpn/vpn-client.html?utm_expid=333874- 5.xSdTaggCQhu28X37j2BKrw.1&utm_referrer=http%3A%2F%2Fwww.thegreenbow.com%2F services.html To setup an IPsec VPN tunnel between the GreenBow IPsec VPN Client and the TP-LINK VPN Router you need to perform the following steps: A. Make sure PCs of two sides can access to Internet B. Configuring the TP-LINK VPN Router C.
Page 14
Step 2: On the management webpage, click on VPN then IKE Proposal. Under IKE Proposal, enter Proposal Name whatever you like, select Authentication, Encryption and DH Group, we use MD5, 3DES, DH2 in this example. Step 3: Click on IKE Policy, enter Policy Name whatever you like, select Exchange Mode, in this example we use Main, select FQDN as ID Type and enter Local ID and Remote ID whatever you like, here we enter “1234”...
Page 15
NOTE: No matter on Main mode or Aggressive mode, once the client PC is behind a NAT device, we have to select FQDN as ID Type and the NAT device must support VPN passthrough, otherwise the VPN tunnel can’t be established. Step 4: Under IKE Proposal 1, we select 1 in this example.
Page 16
Step 6: Click on IPsec Policy, enter Policy Name whatever you like, the Mode should be Client-to- LAN. Enter Local Subnet and select WAN port. Step 7: Look for Policy Mode and select IKE. Under IKE Policy, we select 123 which is used. Under IPsec Proposal, we use 123 in this example.
Page 17
Step 8: Look for PFS, we set NONE here, under SA Lifetime, enter “28800” or the period you want. Look for Status then select Activate. Step 9: Enable IPsec and then click on Save. C. Configuring the GreenBow VPN Client Step 1: Right click on VPN Configuration and click on New Phrase 1.
Page 18
Under Remote Gateway, enter the router’s WAN IP address, the Pre-shared Key should be the same with router’s, it is “123456”.on IKE section, the Encryption, Authentication and Key Group are the same with router’s, we use 3DES, MD5and DH2 here. Step 3: Go to Advanced tab, select DNS as Type of ID, and then enter “4321”...
Page 19
Step 4: Right click on Phase 1, add a new phrase 2.
Page 20
Step 5: Enter remote LAN address and Subnet mask, in the example, the IP address is 192.168.0.0, Subnet mask is 255.255.255.0. Encryption and Authentication are the same with routers; we use 3DES and MD5 here. The Mode should be Tunnel.
Page 21
Step 6: Click Save and Apply and then right click on Phrase 2(Tunnel), click on Open Tunnel.
Page 22
Step 7: If the client connect to the VPN Server successfully, you can see IPsec SA on the list.
4. How to configure Shrew Soft VPN IPsec Client with TP-LINK Router Suitable for: TL-ER6120, TL-ER6020, TL-ER604W Shrew Soft VPN IPsec Client is an VPN Client software developed by Shrew Soft Inc. It can be downloaded from official website of Shrew Soft (https://www.shrew.net/download/vpn).
Page 24
Step 2: On the management webpage, click on VPN then IKE Proposal. Under IKE Proposal, enter Proposal Name whatever you like, select Authentication, Encryption and DH Group, we use MD5, 3EDS, DH2 in this example. Click on Add. Step 3: Click on IKE Policy, enter Policy Name whatever you like, we select Aggressive for Exchange Mode, select FQDN as ID Type and enter Local ID whatever you like, here we enter “123”...
Page 25
NOTE: No matter on Main mode or Aggressive mode, once the client PC is behind a NAT device, we have to select FQDN as ID Type and the NAT device must support VPN passthrough, otherwise the VPN tunnel can’t be established. Step 4: Under IKE Proposal 1, we select test in this example.
Page 26
Step 6: Click on IPsec Policy, enter Policy Name whatever you like, the Mode should be Client-to-LAN. Enter Local Subnet and select WAN port.
Page 27
Step 9: Enable IPsec and then click on Add. C. Configuring the Shrew VPN Client Step 1: Click on Add. Under Host Name or IP Address, enter the TL-ER6120’s WAN IP address, select disable for Auto Configuration. Under Address Method, we select Using an existing adapter and current address.
Page 28
Step 3: Click on Authentication on the top menu, select Mutual PSK as Authentication. Under Identification Type, select Fully Qualified Domain Name and enter “321” for FQDN String. Step 4: Click on Remote Identity, select Fully Qualified Domain Name as Identification Type and enter “123”...
Page 29
Step 5: Click on Credentials, the Pre Shared Key, should be the same as the Pre-shared Key on the TL-ER6120, it’s “123456789”.
Page 30
Cipher Algorithm, and Hash Algorithm are the same with TL-ER6120’s, we use aggressive, group 2, 3des, md5 here. Step 7: Click on Phase 2, under the Proposal Parameters, the Transform Algorithm, HMAC Algorithm are the same with TL-ER6120’s we use esp-3des, md5 here. PFS Exchange and Compress Algorithm are disabled.
Page 31
Step 8: Click on Policy, don’t tick Obtain Topology Automatically or Tunnel All. Then click on Add. Step 9: Select Include as Type, enter the TL-ER6120’s LAN Subnet Address and Subnet Mask, it’s 192.168.1.0, 255.255.255.0. Then click on OK and Save.
Page 32
Step 10: Click on Connect. Step 11: Click on Connect. Step 12: After Shrew Soft VPN show tunnel enabled as the followings, you need ping TL- ER6120 LAN IP.
Page 33
Step 13: If client connect to the VPN Server successfully, you can see IPsec SA on the list.
NOTE: We give the guide to configure LAN-to-LAN PPTP VPN in this example, the way to configure LAN-to-LAN L2TP VPN is similar. If the TP-LINK Router configured as PPTP Server is behind a NAT device, Virtual Server or DMZ should be configured on the NAT device, otherwise the VPN tunnel can’t be established.
Page 36
C. Configuring a PPTP Server on TP-LINK router Step 1 : Access Router A’s management page, click on VPN->L2TP/PPTP->IP Address Pool, enter Pool Name and IP Address Range, and then click on Add. Enter pool name Click NOTE: 1) The IP addresses in the IP Address Pool can only be in the same subnet with the VPN router’s LAN port in the latest firmware, and in the earlier version firmware, IP Address pool...
Page 37
In the Different Subnet 1) Configure the IP Address Pool of access router A as step 1. Enter pool name Click 2) Choose the menu Advanced→NAT→Multi-Nets NAT to enter the Subnet/Mask and select the Status Activate.
Page 38
Enter subnet and mask Click 3) Keep using the default gateway on remote network on clients. Step 2 : Go to L2TP/PPTP Tunnel, look for protocol, select PPTP; the Mode should be Server. DNS setting is not necessary, it can be kept as default Click Save Click...
Page 39
1) If the IP addresses in the IP Address Pool is not in the same subnet with the Router A’s LAN port, the IP address Pool here should choose PPTP2_Dialup_User. 2) In the latest firmware of TP-LINK router, the Enable VPN-to-Internet button is removed and the VPN feature is enabled by default.
Page 40
Step 4 : Under Remote Subnet, enter Router B’s local subnet, we enter “192.168.1.0/24” in this example. Step 5 : Look for Status, select Active. Step 6 : Click on Add and then click on Save. Step 7: If the PPTP tunnel is established successfully, you can check it on List of Tunnel. Also, PC within the local subnet of Router B, can ping Router A’s LAN IP (192.168.0.1).
B. Configuring a PPTP Server on TP-LINK router C. Configuring PPTP client on remote PC (Windows 7) NOTE: If the TP-LINK Router is behind a NAT device, Virtual Server or DMZ should be configured on the NAT device, otherwise the VPN tunnel can’t be established.
Page 42
Step 2: Click on VPN->L2TP/PPTP->IP Address Pool, enter Pool Name and IP Address Range, and then click on Add. NOTE: 1) The IP addresses in the IP Address Pool can only be in the same subnet with the VPN router’s LAN port in the latest firmware, and in the earlier version firmware, IP Address pool must be in the different subnet with the VPN router’s LAN IP address range.
Page 43
2) If the IP addresses in the IP Address Pool is in the same subnet with the VPN router’s LAN port, the remote VPN clients can directly access the Internet. It’s recommended that the IP address range in the IP Address Pool do not overlap with the one in the local DHCP IP address pool.
Page 44
Click 2) Choose the menu Advanced→NAT→Multi-Nets NAT to enter the Subnet/Mask and select the Status Activate. Enter subnet and mask Click 3) Keep using the default gateway on remote network on clients. Step 3: Look for protocol, select PPTP; the Mode should be Server.
Page 45
DNS setting is not necessary, it can be kept as default Click on Save Click on Enter Account Name Password Step 4: Enter Account Name and Password whatever you like, here we use “client” as account name, password is “123456”. Step 5: Under Tunnel, select Client-to-LAN.
Page 46
1) If the IP addresses in the IP Address Pool is not in the same subnet with the VPN router’s LAN port, the IP address Pool here should choose PPTP2_Dialup_User. 2) In the latest firmware of TP-LINK router, the Enable VPN-to-Internet button is removed and the VPN feature is enabled by default.
Page 47
Step 3: Choose Connect to a workplace, and then click on Next.
Page 48
Step 4: Select Use my Internet connection (VPN) Step 5: Under Internet address field, enter router’s WAN IP address, and then click on Next.
Page 49
Step 6: Enter User name and Password, and then click on Create.
Page 50
Step 7: The VPN connection is created and ready to use, click on Close. Step 8: Go to Network and Sharing Center and click on Change adapter settings on the left menu. Step 9: Right Click on VPN Connection and select Connect.
Page 51
Step 10: Enter User name and Password and then click on Connect. Step 11:...
Page 52
If the PPTP tunnel is established successfully, you can check it on List of Tunnel.
B. Configuring a L2TP Server on TP-LINK router C. Configuring L2TP client on remote PC (Windows 7) NOTE: If the TP-LINK Router is behind a NAT device, Virtual Server or DMZ should be configured on the NAT device, otherwise the VPN tunnel can’t be established.
Page 54
Step 2: Click on VPN->L2TP/PPTP->IP Address Pool, enter Pool Name and IP Address Range, and then click on Add. NOTE: 1) The IP addresses in the IP Address Pool can only be in the same subnet with the VPN router’s LAN port in the latest firmware, and in the earlier version firmware, IP Address pool must be in the different subnet with the VPN router’s LAN IP address range.
Page 55
Only in this way, the remote VPN clients can access the Internet via the VPN router in the headquarters. The following contents will respectively introduce the two situations. In the Same Subnet 1) Configure the IP Address Pool of access router A as step 2. 2) Keep using the default gateway on remote network on clients, as the steps in the following picture.
Page 56
Enter subnet and mask Click 3) Keep using the default gateway on remote network on clients. Step 3: Look for protocol, select L2TP; the Mode should be Server. DNS setting is not necessary, it can be kept as default Click on Save Click on Enter...
Page 57
1) If the IP addresses in the IP Address Pool is not in the same subnet with the VPN router’s LAN port, the IP address Pool here should choose PPTP2_Dialup_User. 2) In the latest firmware of TP-LINK router, the Enable VPN-to-Internet button is removed and the VPN feature is enabled by default.
Page 58
C. Configuring L2TP client on remote PC (Windows 7) NOTE: For remote PC to connect to L2TP server, it can use Windows built-in L2TP software or Third-party L2TP software. Step 1: Click on Start->Control Panel->Network and Internet->Network and Sharing Center. Step 2: Click on Set up a new connection or network.
Page 59
Step 3: Choose Connect to a workplace, and then click on Next. Step 4: Select Use my Internet connection (VPN)
Page 60
Step 5: Under Internet address field, enter router’s WAN IP address, and then click on Next.
Page 61
Step 6: Enter User name and Password, and then click on Create. Step 7: The VPN connection is created and ready to use, click on Close.
Page 62
Step 8: Go to Network and Sharing Center and click on Change adapter settings on the left menu. Step 9: Right Click on VPN Connection and select Properties. On the Security tab, Select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec), under Data encryption, select Require encryption (disconnect if server declines).
Page 63
Step 10: Click on Advanced settings, pick Use preshared key for authentication, and then enter the key, here is “5678”.
Page 64
Step 11: Double click on VPN Connection, enter User name and Password and then click on Connect.