Digi WAN 3G User Manual page 85

Example VPN configuration
The diagram shows a Digi Connect WAN VPN used as a primary remote site router:
Remote Site
Digi
Connect
WAN 166.123.99.99
VPN
172.17.1.1
How VPN tunnels work
The Digi device's Ethernet port usually connects to a switch or hub, which then connects to other
Ethernet devices. The mobile/cellular carrier provides only one IP address to the mobile interface.
The Digi device uses Network Address Translation (NAT), where only the mobile IP address is
visible to the outside. Private IP addresses are typically used on the remote site LAN connected to
the Digi device's Ethernet port. All outgoing traffic, except the tunneled VPN traffic, uses the
mobile IP address of the Digi device. Using the example network above, the process for initiating
VPN tunnels works like this:
1 Typically, a host or device on the remote subnet (in this case, 172.17.1.0) requests
information from a host on the main site (HQ) subnet (172.16.5.0). For example, a computer
at 172.17.1.20 needs a file from 172.16.5.100.
2 The Digi device sees the request as being on the HQ subnet and checks whether a VPN
tunnel exists between the two sites.
If no tunnel exists, the Digi device initiates a VPN tunnel request to its peer — the VPN
3
concentrator at HQ. The VPN policy settings are compared, and if they match, an IPsec
tunnel is created between the Digi device and the VPN concentrator. Traffic is encrypted as
defined in the VPN policies.
IPSec ESP
Private IP Tunnel
Cellular
Internet
Data Network
C o n f i g u r e D i g i d e v i c e s
HQ
VPN
Appliance
P WR A C T / C H 0 WI C 0 A C T / C H 0 WI C 0 A C T E T H
O K A C T / C H 1 A C T / C H 1 C O L
172.16.5.1
209.123.123.123
8 5