Funkwerk bintec R1200 Manual page 332

11 VPN
318
bintec devices support the DynDNS service to enable hosts without fixed IP addresses to
obtain a secure connection over the Internet. This service enables a peer to be identified
using a host name that can be resolved by DNS. You do not need to configure the IP ad-
dress of the peer.
The DynDNS service does not signal whether a peer is actually online and cannot cause a
peer to set up an Internet connection to enable an IPSec tunnel over the Internet. This pos-
sibility is created with IPSec callback: Using a direct ISDN call to a peer, you can signal
that you are online and waiting for the peer to set up an IPSec tunnel over the Internet. If
the called peer currently has no connection to the Internet, the ISDN call causes a connec-
tion to be set up. This ISDN call costs nothing (depending on country), as it does not have
to be accepted by your device. The identification of the caller from his or her ISDN number
is enough information to initiate setting up a tunnel.
Before you can configure this service, you must first configure a number for IPSec callback
on the passive page in the Physical Interfaces -> ISDN Ports -> MSN Configuration ->
New menu. The value IPSec is available for this purpose in the Service field. This entry
ensures that incoming calls for this number are routed to the IPSec service.
If callback is active, the peer is caused to initiate setting up an IPSec tunnel by an ISDN
call as soon as this tunnel is required. With passive callback, the set-up of a tunnel to the
peer is always initiated if an ISDN call to the corresponding number ( MSN in the Physical
Interfaces -> ISDN Ports -> MSN Configuration -> New for Service IPSec menu) is re-
ceived. This ensures that both peers are reachable and that the connection can be set up
over the Internet. The only case in which callback is not executed is if SAs (Security Asso-
ciations) already exist, i.e. the tunnel to the peer already exists.
Note
If a tunnel is to be set up to a peer, the interface over which the tunnel is to be imple-
mented is activated first by the IPSec Daemon. If IPSec with DynDNS is configured on
the local device, the own IP address is propagated first and then the ISDN call is sent
to the remote device. This ensures that the remote device can actually reach the local
device if it initiates the tunnel setup.
Transfer of IP Address over ISDN
Transferring the IP address of a device over ISDN (in the D channel and/or B channel)
opens up new possibilities for the configuration of IPSec VPNs. This enables restrictions
that occur in IPSec configuration with dynamic IP addresses to be avoided.
Funkwerk Enterprise Communications GmbH
bintec R1xxx/R3xxx/R4xxx