Table of Contents
Advertisement
Digi Connect WAN Family web interface
Digi device uses Network Address Translation (NAT), where only the mobile IP address is visible to the
outside. Private IP addresses are typically used on the remote site LAN connected to the Digi device's
Ethernet port. All outgoing traffic, except the tunneled VPN traffic, uses the mobile IP address of the
Digi device. Using the example network above, the process for initiating VPN tunnels works like this:
1. Typically, a host or device on the remote subnet (in this case, 172.17.1.0) requests information
from a host on the main site (HQ) subnet (172.16.5.0). For example, a computer at 172.17.1.20
needs a file from 172.16.5.100.
2. The Digi device sees the request is on the HQ subnet and verifies a VPN tunnel exists between
the two sites.
3. If no tunnel exists, the Digi device initiates a VPN tunnel request to its peer — the VPN
concentrator at HQ. The VPN policy settings are compared, and if they match, an IPsec tunnel
is created between the Digi device and the VPN concentrator. Traffic is encrypted as defined in
the VPN policies.
VPN tunnel requirements
To establish an IPsec VPN tunnel, the IP address of the mobile interface must be publicly accessible.
You can specify either a static or dynamic IP address depending on the requirements of your VPN end
point. However, the you cannot specify an IP address a private range of addresses (for example,
10.0.0.0, 172.16.0.0 or 192.168.0.0). If the mobile IP address is within one of the private IP address
ranges, the mobile carrier is using a NAT (Network Address Translation) server between your mobile
IP address and the Internet.
GSM-GPRS/EDGE APN type requirements
If the VPN end points require static (persistent) IP addresses, you may need a custom access point
name (APN). An Internet APN can work in these cases:
The main site (HQ) VPN appliance can support Dynamic DNS names.
n
Use another form of authentication (for example, FQDN).
n
Be aware that these APNs are based on AT&T; other carrier APNs may have similar requirements.
CDMA carrier requirements
The CDMA (Code-Division Multiple Access) carrier requirements are similar to GSM in that static IP
addresses may be required depending on the host site concentrator VPN implementation. In both
cases, the Digi device's mobile IP address will likely need to support mobile terminated data; that is,
the ability to accept incoming data connections.
HQ router / VPN appliance configuration
For supported protocols, see the IPsec specifications your Digi device. Security policies on the HQ VPN
device must match those on the Digi device. The HQ VPN appliance's peer address is the Digi device's
mobile IP address.
Console port
You can configure the Digi device's console port for Console Management to provide SSH or telnet
access. You can connect the Digi device's console port to the router or VPN appliance's console port to
provide true diverse out-of-band console access.
Configuring and managing VPN settings from the command line
In the command-line interface, the set vpn command configures VPN connections, and the vpn
command manages them. These commands are described in the Digi Connect WAN Family Command
Digi Connect WAN Family User Guide
Configuration through the web interface
68
Advertisement
Table of Contents
