Customer Remote Access Configuration; Tunnel Negotiation; Ppp Connection Configuration - Digi WR21 Installation, Operation And Maintenance Manual

Customer Remote Access Configuration

Trane Connect Remote Access is the preferred method for secure remote access to a Tracer BAS
for both Trane employees and customers. Alternatively, when access to additional devices on the
BAS network is needed (i.e. non-Trane gateway device), the Digi WR21 can be utilized as a VPN
endpoint. If only Trane personnel require access, TraneConnect should be used, and this section
can be skipped.
If the Digi WR21 is being placed downstream of another router or firewall and NAT is being used
(the WR21 does not have a public IP assigned on LAN 0), then the upstream router will need to
permit/forward the following ports: UDP/1701, UDP/4500, and UDP/500.
N N o o t t e e : : If the customer is using Windows 7, and the WR21 does not have a public IP address, the

Tunnel Negotiation

If the Digi WR21 is behind a NAT Firewall (the Digi does NOT have a public IP address) then
tunnel negotiation settings must be updated. If the WR21 has been supplied with a public IP
address, the following procedure can be skipped.
1. On the WR21 configuration page, click on N N e e t t w w o o r r k k in the left hand menu.
2. In the right-side window, navigate to V V i i r r t t u u a a l l P P r r i i v v a a t t e e N N e e t t w w o o r r k k i i n n g g ( ( V V P P N N ) ) > > I I P P s s e e c c > > I I P P s s e e c c
3. Select the check box next to N N e e g g o o t t i i a a t t e e a a d d i i f f f f e e r r e e n n t t I I P P a a d d d d r r e e s s s s a a n n d d M M a a s s k k
4. In the box next to I I P P A A d d d d r r e e s s s s , enter the public facing IP address of the internet-connected
5. In the box next to M M a a s s k k , enter 255.255.255.255.
6. Click A A p p p p l l y y when complete.
Figure 18. Digi WR21 VPN setup

PPP Connection Configuration

If the configuration for ETH 1 (network attached to LAN 1 of the Digi WR21) has been changed
from the default of 192.168.209.0, the PPP interfaces assigned to VPN access must also be
updated. If the default network of 192.168.209.0 has been retained, the following procedure can
be skipped.
1. Click on the N N e e t t w w o o r r k k link in the left hand menu.
2. In the right-hand window, navigate to I I n n t t e e r r f f a a c c e e s s > > A A d d v v a a n n c c e e d d > > P P P P P P 5 5 – – L L 2 2 T T P P 0 0
3. In b b o o x x A A (see figure below), enter the IP address used to configure E E T T H H 1 1 earlier in the
BAS-SVX069F-EN
customer must apply a registry fix. Navigate to the
Sharepoint site. Locate the link to the NAT Registry fix. Click to open and then double-click
on the file labeled N N A A T T - - T T R R e e g g i i s s t t r r y y f f i i x x . . r r e e g g to apply the settings to the registry. Click Yes in
the registry editor warning box to apply the new settings. When complete, restart the PC.
T T u u n n n n e e l l s s > > I I P P s s e e c c 0 0 T T r r a a n n e e V V P P N N > > T T u u n n n n e e l l N N e e g g o o t t i i a a t t i i o o n n .
edge router.
document.
Trane Technologies IT Security
23