How to configure IPSec VPN with Originate-Only and Answer-Only Type between UTT Routers

Introduction

This document describes how to configure IPSec VPN between UTT AC750W and UTT U5830G.

Prerequisites

Requirements
A company’s head office uses a U5830G to connect to the Internet, and its branch office uses a AC750W to connect to the Internet.
U5830G’s WAN Connection Type is Static IP, and AC750W’s WAN Connection is also DHCP. Now the company wants to securely connect the remote branch office to the head office through an IPSec VPN tunnel over the Internet. 
 
Components Used
UTT U5830G;    Firmware Version: lv5830GV4v1.5.0-131017(or above);
UTT AC750W;    Firmware Version:AC750Wv1.7.0-141217(or above).

Background Information

Configure

Network Diagram
 

Configure the U5830G:

1. Login to the Web UI of U5830G, go to “VPN > IPSec ” page, click “Add”,  as shown in Figure 1-1:
Figure 1-1
 
2. Select Answer-Only Connection Type, configure the information of Remote, Local, and Security Options, keep Advanced Options as default, then click “Save”, as shown in Figure 1-2:
Figure 1-2

 

Configure the AC750W:

1. Login to the Web UI of AC750W, go to “VPN > IPSec ” page, click “Add”,  as shown in Figure 1-3:
Figure 1-3
 
2. Select Originate-Only Connection Type, because remote peer has Static IP address and Local is DHCP Connection, then configure the information of Remote, Local, and Security Options, keep Advanced Options as default, then click “Save”, as shown in Figure 1-4:
Figure 1-4
 
3. It’ll display the IPSec List page, then select the vpn you created just now, next click Connect, as shown in Figure 1-5:
Figure 1-5
 
Complete VPN Configuration:
The Status of IPSec VPN will show Established on U5830G and AC750W, as shown in Figure 1-6 and Figure 1-7:
Figure 1-6
Figure 1-7
 
Test VPN:
Can Ping to PC1’s IP address: 192.168.1.100 on PC2, as shown in Figure 1-8:
Figure 1-8
 

Troubleshoot and Tips:

1.Can’t use the same LAN IP Address on both peers.

2.For VPN Connection Type,

Bidirectional:(Static-to-Static IPSec VPN).

Originate-Only: (Dynamic-to-Static IPSec VPN) In this case, the local UTT VPN gateway can only act as an initiator, and both IPSec endpoints should use aggressive mode for phase 1 IKE negotiation.

Answer-Only:(Static-to-Dynamic IPSec VPN) In this case, the local UTT VPN gateway can only act as a responder, and both IPSec endpoints should use aggressive mode for phase 1 IKE negotiation.