text.skipToContent text.skipToNavigation

Creating an IPSec tunnel Gateway to Gateway on a Linksys VPN router

What is Virtual Private Network (VPN)?
 
Virtual Private Network (VPN) is a connection between two (2) endpoints in different networks that allows private data to be sent securely over a shared or public network, such as the Internet.  This is done by creating a tunnel.  A VPN tunnel connects two (2) computers or networks and allows data to be transmitted over the Internet as if it were still within those networks.
 
Gateway to Gateway – this setup allows all computers to access the VPN connection and both routers should be VPN tunnel capable.
 
 
To create a VPN tunnel on a Linksys VPN router, you need to perform four (4) steps:
 
Connecting devices together
 
Before creating a VPN tunnel, you need to ensure that there is an active Internet connection on the two (2) routers that will communicate.  After ensuring that there is an active Internet connection, you need to verify the VPN settings.
 
Verifying the VPN settings needed on the two (2) routers
 
To verify the settings needed for your VPN tunnel, follow the steps below:
 
Step 1:
Access the router’s web-based setup page.  For instructions, click here.  If you are using a Mac® computer, click here for instructions.
 
Step 2:
Click System Status under System Information and take note of the LAN IPv4/ Subnet mask.
 
Router A’s System Status page:
 
 
Router B’s System Status page:
 

 
NOTE:  Make sure that the LAN IPv4 Address of the two (2) routers is different.  Take note of the LAN IPv4 Address of Router A since it will be Router B’s Remote Security Group Type and vice versa.
 
Step 3:
On the same page, scroll down and take note of the WAN IP Address under WAN Status of both routers.
 

Configuring VPN tunnel Settings on Router A
 
Step 1:
Access the router’s web-based setup page.  For instructions, click here.  If you are using a Mac computer, click here for instructions.
 
Step 2:
In the Configuration page, click VPN > Gateway to Gateway.
 

 
Step 3:
Enter the name you want to set for your tunnel in the Tunnel Name field.  Then, select an Interface for the VPN tunnel and check the Enable box to enable VPN tunnel.
 
NOTE:  In this example, Tunnel 1 is used as the Tunnel Name and WAN1 is used for Interface.

 
 
Step 4:
Look for LOCAL GROUP SETUP and under Local Security Gateway Type, select either of the following:
  • IP Only - If users decide to use IP only, entering the IP address is the only way to gain access to this tunnel.  The WAN IP address will be automatically filled into this space.  Users don't need to do further settings. 
     
  •  IP + Domain Name (FQDN) Authentication - The WAN IP address will be automatically filled into this space.  Users don't need to do further settings.  FQDN refers to the combination of host name and domain name and can be retrieved from the Internet (i.e. vpn.server.com). 
     
  • IP + E-mail Addr.(USER FQDN) Authentication - If users select IP address and E-mail, enter the IP address and E-mail address to gain access to this tunnel and the WAN IP address will be automatically filled into this space.  Users don't need to do further settings. 
     
  • Dynamic IP + Domain Name (FQDN) Authentication - If users use dynamic IP address to connect to the device, users may select this option to link to VPN.  If users select this option to link to VPN, please enter the domain name. 
     
  • Dynamic IP + E-mail Addr.(USER FQDN) Authentication - If users use dynamic IP address to connect to the device, users may select this option to connect to VPN without entering IP address.  If users select this option to link to VPN, enter E-Mail address to the empty field for E-Mail authentication. 
Step 5:
Under Local Security Group Type select either of the following:
  • IP - This option allows the only IP address which is entered to build the VPN tunnel. 
     
  • Subnet - This option allows local computers in this subnet to be connected to the VPN tunnel. 
     
  • IP Range - This option allows a range of IP addresses to use this tunnel.  Input the begin IP and the end IP of the range. 
NOTE:  In this example Subnet was used.
 
Step 6:
Enter the Subnet Mask of your router in the Mask field.

 
Step 7:
Look for Remote Group Setup and under Remote Security Gateway Type select either IP Only, IP + Domain Name (FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication,  Dynamic IP + Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication depending on your preference, then enter the WAN/Internet IP Address of the Router B in the IP Address field.

 
NOTE:  In this example, 111.111.111.111 was used.  If your ISP has issued a dynamic IP address, you will likely have issues establishing a connection.  So ensure that you request for a static IP address.
 
Step 8:
Under Remote Security Group Type, select IP, Subnet or IP Range, then enter the appropriate values of the remote router in the IP and Mask fields.

 
 
NOTE:  In this example, Subnet is selected and 192.168.2.0 is used for the IP Address and 255.255.255.0 for the Subnet Mask.

Step 9:
Under Keying Mode, select either Manual or IKE with Preshared Key.
 

 
Step 10:
Under Phase 1 Encryption, select the Encryption level of the router you wish to establish a VPN tunnel with.
 
Step 11:
Under Phase 1 Authentication, select the Authentication mode of the router you wish to establish a VPN Tunnel with.
 
NOTE:  In this example, DES and MD5 were used.  If both routers support it, it’s recommended to use SHA and 3DES for a much more secure connection.

 
Step 12:
Make sure that Perfect Forward Secrecy (PFS) is Enabled.  This will ensure that the Phase 2 shared key generated during the IKE (Internet Key Exchange) coordination will conduct further encryption and authentication.  Then under Preshared Key, enter the key of the router you wish to establish a VPN tunnel with.
 

 
NOTE:  In this example, MySecretKey@2013 was used.

Step 13:
Under Phase 2 SA Life Time, enter the time period of the router you wish to establish a VPN tunnel with.
 
NOTE:  In this example 3600 is used.
 
Step 14:
Click Save.
 
Configuring VPN tunnel Settings on Router B
 
Step 1:
Access the router’s web-based setup page.  For instructions, click here.  If you are using a Mac computer, click here for instructions.
 
Step 2:
In the Configuration page, click VPN > Gateway to Gateway.
 

 
Step 3:
Enter the name you want to set for your tunnel in the Tunnel Name field.  Then, select an Interface for the VPN tunnel and check the Enable box to enable VPN tunnel.
 
NOTE:  In this example, Tunnel 1 is used as the Tunnel Name and WAN1 is used for Interface.
 
 
Step 4:
Look for LOCAL GROUP SETUP and under Local Security Gateway Type, select either of the following:
  • IP Only - If users decide to use IP only, entering the IP address is the only way to gain access to this tunnel.  The WAN IP address will be automatically filled into this space.  Users don't need to do further settings. 
     
  • IP + Domain Name (FQDN) Authentication - The WAN IP address will be automatically filled into this space.  Users don't need to do further settings.  FQDN refers to the combination of host name and domain name and can be retrieved from the Internet (i.e. vpn.server.com). 
     
  • IP + E-mail Addr.(USER FQDN) Authentication - If users select IP address and E-mail, enter the IP address and E-mail address to gain access to this tunnel and the WAN IP address will be automatically filled into this space.  Users don't need to do further settings. 
     
  • Dynamic IP + Domain Name (FQDN) Authentication - If users use dynamic IP address to connect to the device, users may select this option to link to VPN.  If users select this option to link to VPN, please enter the domain name. 
     
  • Dynamic IP + E-mail Addr.(USER FQDN) Authentication - If users use dynamic IP address to connect to the device, users may select this option to connect to VPN without entering IP address.  If users select this option to link to VPN, enter E-Mail address to the empty field for E-Mail authentication. 
Step 5:
Under Local Security Group Type select either of the following:
  • IP - This option allows the only IP address which is entered to build the VPN tunnel. 
     
  • Subnet - This option allows local computers in this subnet to be connected to the VPN tunnel. 
     
  • IP Range - This option allows a range of IP addresses to use this tunnel.  Input the begin IP and the end IP of the range. 
NOTE:  In this example Subnet was used.
 
Step 6:
Enter the Subnet Mask of your router in the Mask field.

 
Step 7:
Look for Remote Group Setup and under Remote Security Gateway Type select either IP Only, IP + Domain Name (FQDN) Authentication, IP + E-mail Addr.(USER FQDN) Authentication,  Dynamic IP + Domain Name (FQDN) Authentication, Dynamic IP + E-mail Addr.(USER FQDN) Authentication depending on your preference, then enter the WAN/Internet IP Address of the Router A in the IP Address field.

 
NOTE:  In this example, 192.168.104.11 was used.  If your ISP has issued a dynamic IP address, you will likely have issues establishing a connection.  So ensure that you request for a static IP address.
 
Step 8:
Under Remote Security Group Type, select IP, Subnet or IP Range, then enter the appropriate values of the remote router in the IP and Mask fields.

 
NOTE:  In this example, Subnet is selected and 192.168.1.0 is used for the IP Address and 255.255.255.0 for the Subnet Mask.

Step 9:
Under Keying Mode, select either Manual or IKE with Preshared Key.

 
Step 10:
Under Phase 1 Encryption, select the Encryption level of the router you wish to establish a VPN tunnel with.
 
Step 11:
Under Phase 1 Authentication, select the Authentication mode of the router you wish to establish a VPN tunnel with.
 
NOTE:  For this example, DES and MD5 were used.  If both routers support it, it’s recommended to use SHA and 3DES for a much more secure connection.

 
Step 12:
Make sure that Perfect Forward Secrecy (PFS) is Enabled.  This will ensure that the Phase 2 shared key generated during the IKE (Internet Key Exchange) coordination will conduct further encryption and authentication.  Then under Preshared Key, enter the key of the router you wish to establish a VPN tunnel with.

 
NOTE:  In this example, MySecretKey@2013 was used.

Step 13:
Under Phase 2 SA Life Time, enter the time period of the router you wish to establish a VPN tunnel with.
 
NOTE:  In this example 3600 is used.
 
Step 14:
Click Save.

Was this support article useful?

Additional Support Questions?

Search Again

CONTACT SUPPORT