Knowledgebase
Central VPN Management (CVM) on Vigor3900
Posted by Roy Panetta on 10 October 2018 02:59 PM

Central VPN Management (CVM) is built into DrayTek routers. It is used to configure and monitor VPN connections from the central router running CVM and branch routers.

Building and managing VPN connections between multiple sites can be a time consuming and frustrating if the VPN tunnels do not come up. Usually for IPSec VPN tunnels there are many parameters to synchronise as well as security associations to build. These include Pre-Shared key, subnet, encryption mode and so on. It just takes one wrong parameter to be entered for the VPN to fail to come up and sometimes you need to trace through the settings or capture the VPN syslogs to discover where you went wrong. Using CVM, it just takes a few clicks and the routers will self-configure the VPN tunnel, thus taking the frustration out of the configuration process.

This application note describes the configuration process to set up CVM on the Vigor3900 to create and manage VPN tunnels up to 16 CPE devices.

The network topology we will be using is shown in the diagram below.

The Vigor3900 is the CVM server and will establish VPN tunnels to each of the CPE routers.

Picture-1

Step 1:  Configure the Vigor3900 as the Central VPN Management Router

1. Go to Central VPN Management >> General Setup >> General Setup menu.

  • Select Enable
  • Select the WAN interface that will be used. (we are using WAN 1 in the example).
  • Enter the required HTTP and HTTPS port numbers between 0~65535. We will use the default values here (HTTP Port 8080, HTTPS Port 8443).
  • Enter a Username and Password. (Username and Password must be the same as the settings on CPE).
  • We will set the username to “acs” and password set to “password”.
  • Enable Polling Status and polling interval to a value between 60 and 86400 seconds.
  • Click Apply to save the settings.

Picture-2

2. Configure VPN General Setup

  • Go to Central VPN Management >> General Setup >> VPN General Setup menu
  • Select the required WAN for the WAN Profile (We will use WAN 1).
  • Enter the Local IP and Subnet. (192.168.1.1/24 for our example)
  • Select the IPsec Security Method and IKE Phase 1 Mode.
  • Click Apply to save the settings.

picture-3

3. Allow Access to Router Management

  • Go to System Maintenance >> Access Control 
  • For Internet Access Control, enable "Web Allow", "Telnet Allow", "SSH Allow", and "HTTPS Allow" and TR069 Allow.
  • Click Apply to save the settings.

picture-4

Step 2:   Configure TR069 in CPE Devices

Vigor2926-A

Part A: Enable Remote Management

  • Log into the Vigor2926-A router (192.168.10.1).
  • Go to System Maintenance >> Management menu.
  • Select Allow management from the Internet.
  • Select TR069 Server.
  • Select HTTP Server, Telnet Server and deselect Disable PING (optional).
  • Click OK to save.

The router will restart to save the settings.

picture-5

Part B: Enable TR069 Settings

  • Go to System Maintenance >> TR-069 Setting menu.
  • Select ACS and CPE Settings tab.
  • Enable TR069
  • ACS Server on “Internet”
  • Click on the Wizard button for ACS Server URL
  • In the pop-up menu enter the following settings
- Select http
- For Server, enter WAN IP address for the Vigor3900
- Enter Port, enter 8080 (has to match setting in Vigor3900)
- Leave Handler at default setting
- Click OK to save
  •  Enter Username: acs
  •  Password: password

Picture-6

  • Select HTTP for CPE Client
     
     
     
      -  The router will automatically fill in the URL details.
      -  You can leave the TR069 Port and username/password at defaults (This must match the settings in the CVM server).
  • Select Enable for Periodic Inform Settings (The Interval time may need to be reduced if stability issues occur).
  • Leave other settings at default values.
  • Enable STUN Settings if required (when router is behind another firewall or NAT).
  • Click on OK to save the settings.
  • Once settings are saved, click on Test With Inform button (you should see the green icon dot appear indicating that communication has been established with the CVM server.

 

Vigor2926-B / Vigor2926-C

Configure the other CPE devices similarly to Vigor2926-A router.  They all should show the green icon dot appear indicating that communication has been established with the CVM server.

 

Step 3: Edit the Managed Device List in the Vigor3900

In the CVM Router (Vigor3900) go to Central Management>>VPN>>CPE Management menu.

You should see the CPE devices in the Managed Devices Status page.  A green tick below the CPE shows that it is online.

picture-9

Selecting a CPE and clicking on Edit allows the Name and Location to be entered.

Picture-9

Step 4: Establishing VPN connections

To establish VPN connection: Go to Central Management >> VPN >>CPE Management menu.

  • Select the VPN Management tab on this page.
  • Select a CPE.
  • Click on a VPN type, here we use IPsec.
  • Click OK when being asked about to establish the VPN tunnel.

picture-10

The VPN tunnels will take a few seconds to be automatically configured and brought online.

Once the VPN tunnels are established they will be listed in the connected devices section on this page as shown below.

picture-11

CPE Maintenance

With CVM, we can also perform CPE maintenance tasks from the central router, such as backup and restore configurations as well as firmware upgrades. To carry out CPE Maintenance tasks, go to Central Management >> VPN>>CPE Management >> CPE Maintenance menu.

Click on Add in the Maintenance section to create a profile.

Picture-12

Now select the required device and action to perform including the scheduled time and date for the action.

picture-12

Firmware files can be uploaded to the CVM router by clicking on the File Explorer tab on this page. The backed-up configuration files can also be downloaded to your computer via File Explorer. Choose the filename and click Download, and the file will be saved to the directory.

 

(1 vote(s))
Helpful
Not helpful

Comments (0)