Digi TX40 User Manual page 463

Virtual Private Networks (VPN)
Required configuration items
n IPsec tunnel configuration items:
A name for the tunnel.
l
Note If the tunnel name is more than eight characters, the name will be truncated in the
underlying network interface to the first six characters followed by three digits,
incrementing from 000. This affects any custom scripts or firewall rules that may be trying
to adjust the tunnel's interface or routing table entries.
The mode: either tunnel or transport.
l
Enable the IPsec tunnel.
l
The IPsec tunnel is enabled by default.
The firewall zone of the IPsec tunnel.
l
The routing metric for routes associated with this IPsec tunnel.
l
The authentication type and pre-shared key or other applicable keys and certificates.
l
If SCEP certificates will be selected as the Authentication type, create the SCEP client prior
to configuring the IPsec tunnel. See
client for instructions.
The local endpoint type and ID values, and the remote endpoint host and ID values.
l
n IKE configuration items
The IKE version, either IKEv1 or IKEv2.
l
Whether to initiate a key exchange or wait for an incoming request.
l
The IKE mode, either main aggressive.
l
The IKE authentication protocol to use for the IPsec tunnel negotiation during phase 1 and
l
phase 2.
The IKE encryption protocol to use for the IPsec tunnel negotiation during phase 1 and
l
phase 2.
The IKE Diffie-Hellman group to use for the IPsec tunnel negotiation during phase 1 and
l
phase 2.
n Enable dead peer detection and configure the delay and timeout.
n Destination networks that require source NAT.
n Active recovery configuration. See
about IPsec active recovery.
Additional configuration items
The following additional configuration settings are not typically configured to get an IPsec tunnel
working, but can be configured as needed:
Determine whether the device should use UDP encapsulation even when it does not detect
n
that NAT is being used.
If using IPsec failover, identify the primary tunnel during configuration of the backup tunnel.
n
The Network Address Translation (NAT) keep alive time.
n
The protocol, either Encapsulating Security Payload (ESP) or Authentication Header (AH).
n
TX40 User Guide
Configure a Simple Certificate Enrollment Protocol
Configure SureLink active recovery for IPsec
IPsec
for information
463