Digi TransPort WR11 User Manual page 491
Hide thumbs
Also See for TransPort WR11:
- Manual (20 pages) ,
- Installation manual (17 pages) ,
- Quick start quide (2 pages)
Table of Contents
Advertisement
Configuring Virtual Private Networking (VPN)
6. There are a limited number of dynamic IPsec tunnels. If the number of free dynamic IPsec
tunnel is less than 10 percent of the total number of dynamic IPsec tunnel, the router
periodically removes the oldest dynamic IPsec tunnel. This is done to ensure that there will
always be some free dynamic IPsec tunnel available for incoming connections from remote
routers. To view the current dynamic tunnels that exist using the WEB server, browse to
Management > Connections > Virtual Private Networking (VPN) > IPsec. The table
indicates the base IPsec tunnel and the Remote Peer ID in the status display, to help identify
which remote sites are currently connected.
Preliminary IP Tunnel configuration
The IPsec tunnel configuration Configuration > Network > Virtual Private Networking (VPN) >
IPsec > IPsec Tunnels > IPsec n differs from a normal configuration in the following ways:
Peer IP/hostname: Because the peer IP address to each peer is unknown and is retrieved
n
from the database, this field is left empty.
Bakpeerip (CLI only): Because the peer IP address to each peer is unknown and is retrieved
n
from the database, this field is left empty.
Peer ID: When the host Digi is acting as a responder during IKE negotiations, the router uses
n
the ID supplied by the remote to decide whether or not the MySQL database should be
interrogated. So that the router can make this decision, the remote router must supply an ID
that matches the peerid configured into the IPsec tunnel. Wildcard matching is supported
which means that the peerid may contain * and ? characters. If only one IPsec tunnel is
configured, the peerid field may contain a *, indicating that all remote IDs result in a MySQL
look up.
Local subnet IP address / Local subnet mask: Configured as usual.
n
Remote subnet IP address / Remote subnet mask: These fields should be configured in such
n
a way that packets to ALL remote sites fall within the configured subnet. such as if there are
two sites with remote subnets 192.168.0.0/24, and 192.168.1.0/24 respectively, a valid
configuration for the host would be 192.168.0.0/23 so that packets to both remote sites
match.
All other fields should be configured as usual. It is possible to set up other IPsec groups linked with
other IPsec tunnels. This would be done if there is a second group of remote sites that have a
different set of local and remote subnets, or perhaps different encryption requirements. The only real
requirement is that this second group uses peer IDs that do not match up with those in use by the
first IPsec group.
IPsec Group configuration
This configuration holds information relating to the MySQL database, and the names of the fields
where the information is held. This configuration also identifies which IPsec tunnels create dynamic
IPsec tunnels.
Example MySQL schema
m ysql > descr i be er out es;
+- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - - - - - +- - - - - - - +
| Fi el d
| Type
+- - - - - - - - - - - +- - - - - - - - - - - - - +- - - - - - +- - - - - +- - - - - - - - - +- - - - - - - +
| peer i p
| var char ( 20) | YES
| bakpeer i p | var char ( 20) | YES
| peer i d
| var char ( 20) | NO
Digi TransPort® Routers User Guide
| Nul l | Key | Def aul t | Ext r a |
|
| NULL
|
| NULL
| PRI |
Configure Internet Protocol security (IPsec)
|
|
|
|
|
|
491
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
