Remote access (VPN) setting¶
[Update: May 16, 2019]
The following is an explanation on how to set the remote access (VPN) function of a VPC router.
1. Overview of the remote access (VPN) function¶
Remote access (VPN) is a function for connecting to a private network side (VPC network side) from an external network via a VPC router with a secure route.
The VPN protocol currently supported by a VPC router is as follows.
- PPTP
- L2TP/IPsec
From [Account Management] screen, when using the standard plan, you can set a maximum of 100 accounts to use when connecting to the private network side (VPC network side) from an external network. When using the premium plan or high spec plan, you can set a maximum of 200 accounts.
Note
Although there is no restriction on the number of simultaneous client connections using each VPN protocol, we do not recommend simultaneous connection at the same accounts. Please use by creating an account for each connection client.
PPTP specifications¶
The specifications of the PPTP function of remote access are as follows. You can use the PPTP function by using equipment and software (Windows, Mac OS X, iOS, Android, etc.) that are compatible with the specifications on the opposite endpoint.
| Protocol (port) | GRE (47), TCP (1723) |
|---|---|
| PPP authentication protocol | MS-CHAPv2 |
| PPP authentication method | User name, password |
Attention
It cannot be used in an environment where GRE is not transmissive.
L2TP/IPsec specifications¶
Specifications of the L2TP/IPsec function of remote access are as follows. You can use the L2TP/IPsec function by using equipment and software (Windows, Mac OS X, iOS, Android, etc.) that are compatible with the specifications on the opposite endpoint.
| Protocol (port) | UDP (500), ESP (50) *UDP (500), UDP (4500), when NAT-T is used. |
|---|---|
| PPP authentication protocol | MS-CHAPv2 |
| PPP authentication method | User name, password |
| L2TP tunnel authentication | No |
| L2TP keep-alive | Enable |
| L2TP keep-alive interval | 10 seconds (retry 3 times) |
| L2TP tunnel termination timer | No |
| IPsec authentication method | Pre-Shared Key |
| Cryptographic algorithm | AES256, 3DES |
| Cipher using mode | CBC |
| Hash algorithm | SHA |
| Message authentication code | HMAC |
| PFS (Perfect Forward Secrecy) | Disabled |
| DH (Diffie-Hellman) Group | MODP1024 (Group 2) |
| Lifespan of ISAKMP SA | 28,800 seconds |
| Lifespan of IPsec SA | 1,800 seconds |
| Exchange mode | Aggressive mode |
| IKE phase 1 ID | Global IP address of the VPC router |
| IKE phase 2 ID | No |
| Vendor ID | Do not accept/Do not send |
| IKE keep-alive (DPD) | Disabled |
2. PPTP server setting¶
From the settings screen of the VPC router you want to configure, select the [Remote Access] tab and then the [PPTP Server] tab. The setting status of the PPTP server function will appear. Click the [Edit] button to change it.
The PPTP server function setting screen will appear. Select and enter each item.
| PPTP server | Select the PPTP server function from [Enable] or [Disable]. *When [Enable] is selected, the following two setting items will appear. |
|---|---|
| Dynamic assignment range (from) | Enter the starting IP address of the IP address range to be assigned to the PPTP client. |
| Dynamic assignment range (to) | Enter the ending IP address of the IP address range to be assigned to the PPTP client. |
*Both are required items.
*Dynamic assignment range must be included in IP address range set for one of the private interfaces.
Click the [Apply] button.
When the setting is completed, it is updated in the setting status screen of the PPTP server.
Note
When you add, change, or delete the PPTP setting, you need to click the [Apply] button to update the settings to the VPC router side. (Even if the VPC router is in the active state, the setting is updated by clicking the [Apply] button without turning it off.)
Also, clicking the [Apply] button does not affect the current PPTP connection (does not cause disconnection, etc.).
*For the standard plan, please make a PPTP connection to the IP address assigned to the global interface. For the premium plan, please make a PPTP connection to the virtual IP address set for the global interface.
3. L2TP/IPsec server setting¶
From the settings screen of the VPC router you want to configure, select the [Remote Access] tab and then the [L2TP/IPsec Server] tab. The setting status of the L2TP/IPsec server function will appear. Click the [Edit] button to change it.
The L2TP/IPsec server function setting screen will appear. Select and enter each item.
| L2TP/IPsec server | Select the L2TP/IPsec server function from [Enable] or [Disable]. |br | *When [Enable] is selected, the following three setting items will appear. |
|---|---|
| Dynamic assignment range (from) | Enter the starting IP address of the IP address range to be assigned to the L2TP/IPsec client. |
| Dynamic assignment range (to) | Enter the ending IP address of the IP address range to be assigned to the L2TP/IPsec client. |
| Pre-Shared Secret | Enter the character string you want to set as the Pre Shared Key (*1). |
*1 You can use the characters that are a combination of alphabet (upper-case or lower-case), numbers, and underscore (_). The number of characters is from 1 to 40.
*They are all required items. *Dynamic assignment range must be included in IP address range set for one of the private interfaces.
Click the [Apply] button.
When the setting is completed, it is updated in the setting status screen of the L2TP/IPsec server.
*For the standard plan, please make an L2TP/IPsec connection to the IP address assigned to the global interface. For the premium plan, please make an L2TP/IPsec connection to the virtual IP address set for the global interface.
Note
When you add, change, or delete the L2TP/IPsec server setting, you need to click the [Apply] button to update the settings to the VPC router side. (Even if the VPC router is in the active state, the setting is updated by clicking the [Apply] button without turning it off.)
Also, clicking the [Apply] button does not affect the current L2TP/IPsec connection (does not cause disconnection, etc.).
4. Account management setting¶
From the settings screen of the VPC router you want to configure, select the [Remote Access] tab and then the [Account Management] tab. A list of set remote access accounts will appear. Click the [Add] button to add a new one.
The setting screen to add remote access client will appear. Enter the information in each setting item.
| User name | Enter the user name to be used for connection. |
|---|---|
| Password | Enter the user’s password. |
*All of them are required items.
Click the [Apply] button.
When the setting is completed, it is added to the list. The created entries can be edited with the pencil icon on the right of the list and deleted with the delete icon.
Note
When you add, change, or delete the remote access client setting, you need to click the [Apply] button to update the settings to the VPC router side. (Even if the VPC router is in the active state, the setting is updated by clicking the [Apply] button without turning it off.)
Also, clicking the [Apply] button does not affect the client currently using remote access connection (does not cause disconnection, etc.).
5. View VPN log¶
Click the [Log] tab on the details screen of a VPC router and click the [VPN] tab. The log is displayed.
Note
The latest 100 recorded logs will appear. (Logs older than the latest 100 logs are not displayed. If you require continuous recording of logs, please use the syslog transfer function.)