Configure Virtual Private Networking (VPN) IPsec parameters
Digi TransPort WR Routers User Guide 423
IPsec Groups
You can use IPsec groups when the router is terminating tunnels to a large number of remote
devices, such as using the router as a VPN Concentrator. To keep the size of the configuration file in
the router small and also to maintain ease of configuration, only the information for all tunnels is
stored on the router. All other information that is site specific is stored in a MySQL database. This
means the number of sites that can be configured is limited only by the SQL database size and
performance. This will be literally millions of sites, depending upon the operating system and
hardware of the MySQL PC. The number of sites that can be connected to concurrently are much
smaller and limited by the model of the router.
▪ The router with the IPsec Group/MySQL configuration is the VPN Concentrator.
▪ The remote sites normally do not require an IPsec group configuration, as they normally need to
connect to a single peer only, the VPN Concentrator.
▪ The VPN Concentrator normally need a single IPsec group configured only.
▪ The local and remote subnet parameters must be set up wide enough to encompass all the local
and remote networks.
▪ The VPN Concentrator can act as an initiator and/or a responder. In situations where there are
more remote sites than the router can support concurrent sessions, it is normally necessary for
the VPN Concentrator and the remote sites to be both an initiator and a responder. This is so
both the remote sites and the head-end can initiate the IPsec session when required.
▪ It is also important to configure the IPsec tunnels to time out on inactivity to free up sessions for
other sites. In the case of the VPN Concentrator acting as an initiator, when it receives a packet
that matches the main IPsec tunnel, if no Security Associations already exist, it looks up the
required parameters in the database.
▪ The router then creates a dynamic IP tunnel containing all the settings from the base IPsec
tunnel and all the information retrieved from the database.
▪ At this point, IKE creates the tunnel (IPsec security associations) as normal.
▪ The dynamic IPsec tunnel continues to exist until all the IPsec Security Associations are
removed.
▪ When the maximum supported (or licensed) number of tunnels has been reached by the router,
the oldest Dynamic IPsec tunnels (those not in use for the longest period of time) and their
associated IPsec Security Associations are dropped, to allow new inbound VPNs to connect.
To Next Page
Loading...
