Table of Contents
Advertisement
16 VPN
338
Note
The callback configuration should be the same on the two devices so that your device
is able to identify the IP address information from the called peer.
The following roles are possible:
• One side takes on the active role, the other the passive role.
• Both sides can take on both roles (both).
The IP address transfer and the start of IKE phase 1 negotiation take place in the following
steps:
(1) Peer A (the callback initiator) sets up a connection to the Internet in order to be as-
signed a dynamic IP address and be reachable for peer B over the Internet.
(2) Your device creates a token with a limited validity and saves it together with the cur-
rent IP address in the MIB entry belonging to peer B.
(3) Your device sends the initial ISDN call to peer B, which transfers the IP address of
peer A and the token as per the callback configuration.
(4) Peer B extracts the IP address of peer A and the token from the ISDN call and as-
signs them to peer A based on the calling party number configured (the ISDN number
used by peer A to send the initial call to peer B).
(5) The IPSec Daemon at peer B's device can use the transferred IP address to initiate
phase 1 negotiation with peer A. Here the token is returned to peer A in part of the
payload in IKE negotiation.
(6) Peer A is now able to compare the token returned by peer B with the entries in the
MIB and so identify the peer without knowing its IP address.
As peer A and peer B can now mutually identify each other, negotiations can also be con-
ducted in the ID Protect mode using preshared keys.
Note
In some countries (e.g. Switzerland), the call in the D channel can also incur costs. An
incorrect configuration at the called side can mean that the called side opens the B
channel the calling side incurs costs.
The following options are only available on devices with an ISDN connection:
Fields in the menu IPSec Callback
bintec elmeg GmbH
bintec RS Series
Hide quick links:
Advertisement
Table of Contents
