Table of Contents
Advertisement
18 VPN
286
Field
IPSec Callback
bintec devices support the DynDNS service to enable hosts without fixed IP addresses to
obtain a secure connection over the Internet. This service enables a peer to be identified
using a host name that can be resolved by DNS. You do not need to configure the IP ad-
dress of the peer.
The DynDNS service does not signal whether a peer is actually online and cannot cause a
peer to set up an Internet connection to enable an IPSec tunnel over the Internet. This pos-
sibility is created with IPSec callback: Using a direct ISDN call to a peer, you can signal
that you are online and waiting for the peer to set up an IPSec tunnel over the Internet. If
the called peer currently has no connection to the Internet, the ISDN call causes a connec-
tion to be set up. This ISDN call costs nothing (depending on country), as it does not have
to be accepted by your device. The identification of the caller from his or her ISDN number
is enough information to initiate setting up a tunnel.
To set up this service, a call number for the IPSec callback must first be set up on the
passive side in the Physical Interfaces->ISDN Ports->MSN Configuration->New menu.
is available for this purpose in the Service field. This entry ensures that
The value
incoming calls for this number are routed to the IPSec service.
If callback is active, the peer is caused to initiate setting up an IPSec tunnel by an ISDN
call as soon as this tunnel is required. If callback is set to passive, setting up a tunnel to the
peer is always initiated if an ISDN call is received on the relevant number( MSN in menu
Physical Interfaces->ISDN Ports->MSN Configuration->New for Service
ensures that both peers are reachable and that the connection can be set up over the Inter-
net. The only case in which callback is not executed is if SAs (Security Associations)
already exist, i.e. the tunnel to the peer already exists.
Note
If a tunnel is to be set up to a peer, the interface over which the tunnel is to be imple-
mented is activated first by the IPSec Daemon. If IPSec with DynDNS is configured on
the local device, the own IP address is propagated first and then the ISDN call is sent
to the remote device. This ensures that the remote device can actually reach the local
device if it initiates the tunnel setup.
Funkwerk Enterprise Communications GmbH
Description
up until someone actually wants to use the route.
•
: Your device responds to an ARP request only if the
status of the connection to the IPSec peer is
connection already exists to the IPSec peer.
(active), i.e. a
). This
R1xxx/R3xxx/R4xxx
Advertisement
Table of Contents
