Configuring Virtual Private Networking (VPN) Configure Internet Protocol security (IPsec)
Digi TransPort® Routers User Guide
489
Configure IPsec groups
IPsec groups are supported on TransPort WR44v2 models only.
You can use IPsec groups when the router is terminating tunnels to a large number of remote devices,
such as using the router as a VPN Concentrator. To keep the size of the configuration file in the router
small and also to maintain ease of configuration, only the information for all tunnels is stored on the
router. All other information that is site specific is stored in a MySQL database. This means the
number of sites that can be configured is limited only by the SQL database size and performance. This
will be literally millions of sites, depending upon the operating system and hardware of the MySQL PC.
The number of sites that can be connected to concurrently are much smaller and limited by the model
of the router.
n The router with the IPsec Group/MySQL configuration is the VPN Concentrator.
n The remote sites normally do not require an IPsec group configuration, as they normally need
to connect to a single peer only, the VPN Concentrator.
n The VPN Concentrator normally need a single IPsec group configured only.
n The local and remote subnet parameters must be set up wide enough to encompass all the
local and remote networks.
n The VPN Concentrator can act as an initiator and/or a responder. In situations where there are
more remote sites than the router can support concurrent sessions, it is normally necessary
for the VPN Concentrator and the remote sites to be both an initiator and a responder. This is
so both the remote sites and the head-end can initiate the IPsec session when required.
n It is also important to configure the IPsec tunnels to time out on inactivity to free up sessions
for other sites. In the case of the VPN Concentrator acting as an initiator, when it receives a
packet that matches the main IPsec tunnel, if no Security Associations already exist, it looks up
the required parameters in the database.
n The router then creates a dynamic IP tunnel containing all the settings from the base IPsec
tunnel and all the information retrieved from the database.
n At this point, IKE creates the tunnel (IPsec security associations) as normal.
n The dynamic IPsec tunnel continues to exist until all the IPsec Security Associations are
removed.
n When the maximum supported (or licensed) number of tunnels has been reached by the router,
the oldest Dynamic IPsec tunnels (those not in use for the longest period of time) and their
associated IPsec Security Associations are dropped, to allow new inbound VPNs to connect.
Logic flow for creating IPSec SAs
VPN Concentrator acting as initiator
The VPN Concentrator normally acts as an initiator when it receives an IP packet for routing with a
source address matching the IPsec tunnel local subnet address & mask and a destination address
matching the remote subnet address & mask, provided an IPsec SA does not already exist for this site.
1. 1If an IPsec group is configured to use the matching IPsec tunnel, the router uses a MySQL
query to obtain the site specific information in order to create the SAs.
To Next Page
Loading...
Need help?
General
