IPsec parameters
Digi TransPort User Guide 411
Preliminary IP Tunnel configuration
The IPsec tunnel configuration Configuration > Network > Virtual Private Networking (VPN) >
IPsec > IPsec Tunnels > IPsec n differs from a normal configuration in the following ways:
• Peer IP/hostname: Because the peer IP address to each peer is unknown and is retrieved
from the database, this field is left empty.
• Bakpeerip (CLI only): Because the peer IP address to each peer is unknown and is retrieved
from the database, this field is left empty.
• Peer ID: When the host Digi is acting as a responder during IKE negotiations, the router uses
the ID supplied by the remote to decide whether or not the MySQL database should be
interrogated. So that the router can make this decision, the remote router must supply an ID
that matches the peerid configured into the IPsec tunnel. Wildcard matching is supported
which means that the peerid may contain * and ? characters. If only one IPsec tunnel is
configured, the peerid field may contain a *, indicating that all remote IDs result in a MySQL
look up.
• Local subnet IP address / Local subnet mask: Configured as usual.
• Remote subnet IP address / Remote subnet mask: These fields should be configured in
such a way that packets to ALL remote sites fall within the configured subnet. such as if there
are two sites with remote subnets 192.168.0.0/24, and 192.168.1.0/24 respectively, a valid
configuration for the host would be 192.168.0.0/23 so that packets to both remote sites
match.
All other fields should be configured as usual. It is possible to set up other IPsec groups linked
with other IPsec tunnels. This would be done if there is a second group of remote sites that have
a different set of local and remote subnets, or perhaps different encryption requirements. The
only real requirement is that this second group uses peer IDs that do not match up with those in
use by the first IPsec group.
To Next Page
Loading...
