Description

Milesight Router UR32/UR35/UR75 supports both IPsec server and IPsec client for securing data transmitted over the Internet or any public network. This article describe how to establish IPsec VPN between Milesight routers.


Requirement

Milesight Router UR32/UR35/UR75


Configuration

In this configuration example, one Milesight router is used as IPsec server, and the other Milesight router is used as IPsec client. Make sure the server router has public IP, and the two routers should have different subnets. Topology graph is as below:


  1. Configure IPsec server on Router A on Network -> VPN -> IPsec Server.

LocaSubnet/Subnet Mask: subnet/subnet mask of the server router.

Remote Subnet/Subnet Mask: subnet/subnet mask of the client router.

ID Type: for authentication. There are 4 types: Default, ID, FQDN, User FQDN.

  • Default: None.
  • ID: use IP address as ID.
  • FQDN (Fully Qualified Domain Name): use FQDN as ID. e.g.: test.user.com(hostname or domain name format).
  • User FQDN: use userFQDN as ID. e.g.: [email protected] (email address format).

In IKE Parameters, Local Authentication supports PSK and CA. When using PSK, you need to add PSK list as the the secret for IPsec client.


  1. Base on the IPsec server settings, configure IPsec client on Router B on Network -> VPN -> IPsec.

IPseGateway Address: the public IP of the server router. In this example it’s the WAN IP of router A.

IPseMode/IPsec protocol: the same as server settings.

Local Subnet/Subnet Mask: subnet/subnet mask of the client router.

Remote Subnet/Subnet Mask: subnet/subnet mask of the server router.

Local ID Typethe Remote ID Type set in the server.

Remote ID Typethe Local ID Type set in the server.


  1. After IPsec VPN is established, you can see the connection status on Status -> VPN.

Router A:

Router B:


Go to Maintenance -> Tools -> Ping to ping the remote subnet and PC IP. Ping success means successful data transmission thought VPN.

Router A:

Router B:


Note: with firewall enabled on PC, ping PC IP would fail. So you can disable it for the time being for testing.