Digi TransPort WR11 User Manual page 490

Configuring Virtual Private Networking (VPN)
2. The VPN Concentrator creates a SELECT query using the destination IP address of the packet
and the mask configured in the IPsec group configuration to determine the remote subnet
address. This means that the remote subnet mask must be the same on all sites using the
current IPsec group.
3. Once the site-specific information is retrieved, the router creates a dynamic IPsec Tunnel
which is based upon the base IPSec tunnel configuration plus the site specific information from
the MySQL database.
4. The router then uses the completed IPsec tunnel configuration and IKE to create the IPsec
SAs.
5. For the pre-shared key, IKE uses the password returned from the MySQL database rather than
doing a local look up in the user configuration.
6. Once created, the SAs are linked with the dynamic IPsec tunnel. Replacement SAs are created
as the lifetimes start to get low and traffic is still flowing.
7. When all SAs to this remote router are removed, the dynamic IPsec tunnel is removed, allowing
reuse of the IPsec tunnel to create tunnels to other remote sites.
8. When processing outgoing packets, dynamic IPsec Tunnels are searched before base IPsec
tunnels. If a matching dynamic IPsec tunnel is found, the router uses that tunnel, and the base
IPsec tunnel is only matched if no dynamic IPsec tunnel exists.
9. Once the dynamic IPsec tunnel is removed, further outgoing packets will match the base IPsec
tunnel and the process is repeated.
VPN Concentrator acting as a responder to a session initiated from the remote site
1. When a remote site needs to create an IPsec SA with the VPN Concentrator it sends an IKE
request to the VPN Concentrator.
2. The VPN Concentrator needs to be able to confirm that the remote device is authorized to
create an IPsec tunnel. The remote site supplies its ID to the host during the IKE negotiations.
The VPN Concentrator uses this ID in a search of the IPsec tunnels configured and dynamic
IPsec tunnels to see if the supplied ID matches the configured Peer ID (peerid). If a match is
found, the MYSQL database is queried to retrieve the information required to complete the
negotiation (such as pre-shared key/password). If no matching base IPsec tunnel is found,
router uses the local user configuration to locate the password, and a normally configured
IPsec tunnel must also exist.
3. Once the information is retrieved from the MySQL database, IKE negotiations continue, and the
created IPsec SAs will be associated with the dynamic IPsec tunnel.
4. As long as the dynamic IPsec tunnel exists, it behaves just like a normal IPsec tunnel. such as
SAs being replaced/removed as required.
5. If errors are received from the MySQL database, or not enough fields are returned, the dynamic
IPsec tunnel is removed, and IKE negotiations in progress are terminated.
Digi TransPort® Routers User Guide
Configure Internet Protocol security (IPsec)
490