Digi TransPort WR31 User Manual page 426

Configure Virtual Private Networking (VPN)
Preliminary IP Tunnel configuration
The IPsec tunnel configuration Configuration > Network > Virtual Private Networking (VPN) >
IPsec > IPsec Tunnels > IPsec n differs from a normal configuration in the following ways:
Peer IP/hostname: Because the peer IP address to each peer is unknown and is retrieved from
▪
the database, this field is left empty.
Bakpeerip (CLI only): Because the peer IP address to each peer is unknown and is retrieved from
▪
the database, this field is left empty.
Peer ID: When the host Digi is acting as a responder during IKE negotiations, the router uses the
▪
ID supplied by the remote to decide whether or not the MySQL database should be interrogated.
So that the router can make this decision, the remote router must supply an ID that matches the
peerid configured into the IPsec tunnel. Wildcard matching is supported which means that the
peerid may contain * and ? characters. If only one IPsec tunnel is configured, the peerid field
may contain a *, indicating that all remote IDs result in a MySQL look up.
Local subnet IP address / Local subnet mask: Configured as usual.
▪
Remote subnet IP address / Remote subnet mask: These fields should be configured in such a
▪
way that packets to ALL remote sites fall within the configured subnet. such as if there are two
sites with remote subnets 192.168.0.0/24, and 192.168.1.0/24 respectively, a valid
configuration for the host would be 192.168.0.0/23 so that packets to both remote sites match.
All other fields should be configured as usual. It is possible to set up other IPsec groups linked with
other IPsec tunnels. This would be done if there is a second group of remote sites that have a
different set of local and remote subnets, or perhaps different encryption requirements. The only
real requirement is that this second group uses peer IDs that do not match up with those in use by
the first IPsec group.
Digi TransPort WR Routers User Guide
IPsec parameters
426