ࡱ> {y|` )bjbj ;D?!Y0000000D###8#4#4DD28$$$$$$$$-D/D/D/D/D/D/D$EhHHSD0$$$$$SD00$$hD((($H0$0$-D($-D((A00C$,$ p5L #<&MB D$~D0DeB8H'0H0CH0Cl$$($$$$$SDSD($$$D$$$$DDDDDDDDDD000000  INCLUDEPICTURE "http://www.digi.com/images/news/digi_2c_sm.gif" \* MERGEFORMATINET Digi Connect WAN Application Guide: Configuring a VPN connection between a Cisco IOS Router and a Digi Cellular RouterIntroduction This is an example configuration of an IPsec VPN tunnel from a Digi Cellular VPN device, such as a ConnectPort WAN VPN, to a Cisco IOS-based router. Sections in this document are: Example diagram and VPN parameters used. Cisco VPN configuration settings. Knowledge of Cisco IOS is assumed and required. Digi does not provide support for non-Digi device configuration. Embedded notes in the sample config file help describe the settings. Digi cellular devices IPsec WebUI configuration Testing and basic troubleshooting 1. Example Diagram and VPN Parameters  VPN Parameters: Identity: Mobile IP address Pre-Shared Key: 1s3d4f5g Main mode Encryption/Hash transforms: 3des/md5; des/MD5 Diffie-Helman Group: 2 Perfect-Forward Secrecy (PFS) enabled SA Lifetime 86400 secs. Further details and information are available in the Users Guide, Command Reference and Application Docs available from Digis support ( HYPERLINK "http://www.digi.com/support" www.digi.com/support) and product website docs links ( HYPERLINK "http://www.digi.com/products/wireless/cellular.jsp" http://www.digi.com/products/wireless/cellular.jsp, select the appropriate product, then click on the Docs tab). For example, a more detailed VPN doc is available here: http://ftp1.digi.com/support/documentation/appguide_digiconnectvpn.pdf. 2. Cisco Sample Config File: This configuration file describes how to setup a configuration to accept a VPN connection from a Digi Connect VPN. Two pre-shared key definitions are listed: (1) Is for a single static mobile IP address. Multiple entries are needed for each mobile IP address. (2) Covers either a range of static IPs or more likely is used when dynamic mobile IP addresses are used. See the Key section a few lines down. ! ISAKMP Phase 1 config: crypto isakmp policy 2 encr 3des hash md5 authentication pre-share ! KEY SECTION ! (1) Define the key if a STATIC mobile is used: crypto isakmp key 1s3d4f5g address 166.122.222.111 no-xauth ! (2) Define the shared key for a number of mobile devices that share an address ! range. This shared key will work for all devices that have an IP address in ! the subnet: 166.122.0.0/16 This is useful for dynamic IPs in this range. crypto isakmp key 1s3d4f5g address 166.122.0.0 255.255.0.0 no-xauth ! Define the transforms that can be used. crypto ipsec transform-set tset-des-md5 esp-des esp-md5-hmac crypto ipsec transform-set tset-3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set tset-aes256 esp-aes 256 crypto ipsec transform-set tset-aes256-md5 esp-aes 256 esp-md5-hmac ! Setup the dynamic crypto map that will be used as a template crypto dynamic-map digivpn 10 set transform-set tset-des-md5 tset-3des-md5 tset-aes256 tset-aes256-md5 set pfs group2 match address 101 reverse-route ! Setup the crypto map that will be applied to the interface crypto map digi-crypto-map 10 ipsec-isakmp dynamic digivpn ! Configure the access list that will define the VPN ! This map defines what data is going to be protected by the VPN ! The form is ! Access list 101 says that if a packet matches source 172.10.20.0/24 to ! destination 192.168.1.0/24 (from the Cisco perspective), then it should be ! be tunneled through the VPN. access-list 101 permit ip 192.168.1.0 0.0.0.255 172.10.20.0 0.0.0.255 ! Finally, apply the transform to the ethernet interface: interface Ethernet0/0 description Public IP connected to the Internet ... crypto map digi-crypto-map 3. Digi VPN Config: Using a browser, access the Digis WebUI (e.g.  HYPERLINK "http://192.168.1.1" http://192.168.1.1) In the left column, select Configuration -> Network Select the Virtual Private Network (VPN) Settings link in the middle of the page. Select the first link ("VPN Settings") Identity: select "Use the Mobile IP address as the identity" General Security Settings "Connection Mode": Main "Diffie-Hellman": Group 2 Check to "Enable Perfect Forward Secrecy (PFS)" Under Internet Key Exchange (IKE) Security Settings Select "Use the following policies to negotiate Internet Key Exchange (IKE) security settings" Remove any items Select 3DES and MD5 for Encryption and Authentication. Leave the SA Lifetime at 86400. Click "Add". Select DES and MD5. Leave the SA Lifetime value at 86400. Click Add. Click Apply Select "VPN Tunnel Settings" link just below the Apply button. (Make sure you clicked the Apply button as mentioned above or your changes will be lost). Remove any unneeded tunnels by selecting the "delete" link. Click "Add" to add a new tunnel Enter the WAN IP address or hostname of the Cisco router at the other end of the tunnel, in this example 209.123.123.123. The IP address must usually be a public IP address reachable from the wireless address of the Digi Connect unit. Under "VPN Tunnel:" Select "ISAKMP" Under the heading: "Tunnel Network Traffic FROM the following Local Network": Verify the IP address corresponds to the subnet of the local Ethernet address (in this case 192.168.1.0/255.255.255.0). If the address is not the same, change the local Ethernet IP address/subnet to the proper address under the Configuration->Network link on the left side of the page. Verify the subnet mask is appropriate for the tunnel you want to create. Note that the IP address and subnet mask define the SOURCE address range for traffic that will be sent through the tunnel from the remote network. Under the heading "Tunnel Network Traffic TO the following Remote Network" Enter the IP address of the network that the data will be flowing TO. This is the network part of the address that is defined on the LOCAL side of the Cisco Router. In this case 172.10.20.0. Enter the appropriate Subnet Mask that defines the LOCAL side of the Cisco Router in this case 255.255.255.0. Click Apply to save the information. The Digi VPN configuration is now complete. 4. Testing and Basic Troubleshooting Note the tunnel does not come up automatically. You can attempt to make the tunnel come up by selecting the "Administration > System Information" Select the Diagnostics link at the bottom of the page. Enter an IP address of a host on remote end of the tunnel (the local side of the Cisco router), e.g. 172.10.20.1. The IP address needs to be an actual interface IP address. Click on the Ping button. Wait for the connection to respond correctly. --or-- Generate traffic from the remote subnet to the HQ subnet. For example from 192.168.1.100 try pinging 172.10.20.1. The first few pings will say Destination Host Unreachable as 172.17.1.100 does not yet know the route to the remote site until the VPN tunnel is built. After the VPN tunnel is established, the ping will likely timeout but should respond after a few pings. If you continue to get Destination Host Unreachable messages, the tunnel in never being built. If you do not get a valid response, verify that the IP address is pingable (not filtering ICMP). Check the Cisco router logs. (As of this writing the Digi has no VPN logs). Check the VPN connection status from the Digis command line via the display vpn command. See the Command Reference for more details. 5. Where to Get More Information Further details and information are available in the Users Guide, Command Reference and Application Docs available from Digis support ( HYPERLINK "http://www.digi.com/support" www.digi.com/support) and product website docs links ( HYPERLINK "http://www.digi.com/products/wireless/cellular.jsp" http://www.digi.com/products/wireless/cellular.jsp, select the appropriate product, then click on the Docs tab). For example, a more detailed generic VPN doc is available here: http://ftp1.digi.com/support/documentation/appguide_digiconnectvpn.pdf. Refer to the Digi Connect WAN user documentation and Digi technical support website at  HYPERLINK "www.digi.com/support " www.digi.com/support for more information. Technical assistance is available at  HYPERLINK "http://www.digi.com/support/eservice/eservicelogin.jsp" http://www.digi.com/support/eservice/eservicelogin.jsp. For sales and product information, please contact Digi International at 952-912-3444 or via  HYPERLINK "www.digi.com" www.digi.com.     Sample Cisco Router to Digi Connect / ConnectPort VPN Config pg  PAGE 2 UXY~ b l s ] w    L T U _ i y  ļĸhm4|hD^< hZjhZjhZjhZj5jh1~h'UhZjh[hh|ihVzh?h'5OJQJ^Jh'5OJQJ^J#h?h'5CJ OJQJ^JaJ h'jh'U9Y~ xxxxsgd[ & FgdZjgdVz $dNgd'Wkd9$$IfTl0 M$ t644 laT $$Ifa$gdG| $IfgdG| ?))   < U _ $(YgdS:gd1~gd T & FgdD^< & FgdZjgd[  $ & 8 < L l m     D E l  $lmmtr hS:hS:CJOJQJ^JaJh1~h1~6h|ih1~ h1~h1~hm4|hS:0Jhm4|hZj0J hm4|hm4|hm4|j3h TU h Th Thdh T0Jj2h TUjh TUh Th T5h Th T6h T h1~hZj,*.=AQ%&'9:<QWXegikrs{Fھڰڬ|hD^<hFvh0Jj5hUjhUh|ihibhhZjhS:h|iCJOJQJ^JaJh[CJOJQJ^JaJh1~CJOJQJ^JaJ hS:hS:CJOJQJ^JaJh TCJOJQJ^JaJ h1~hS:05-m&D=>sigdS:Vl<t,F^x=N & FxgdD^< & Fgd & FxgdD^<gdS:gdS:F]^w~=MNVem 57StYZ4UF`$ % : I !!-!6!t!!!! "##)$J$e$$$$$$$h Th'h&hlqhhw[1hS:hD^<X [zVa$ J #I$$%>%i'(?)xgd'gd' & Fxgdlqgdlqxgdlq & FxgdD^< & Fgd & FxgdD^< & Fxgdlq$$$$$ %%% %>%s%%%%%%%%%%%&&*&+&7&i&k&l&m&&&!'g'i''''''''7(8(|(}(~(ɵɵuj8h'Uhh'0Jj7h'Ujh'U hm4|hm4|j6hm4|U h Thm4|hdhm4|0Jj5hm4|Ujhm4|Uh Thm4|5h Thm4|6hm4| hh'hS:h'h'6h'hlq.~((()).)/)0)<)=)?)@)B)C)E)F)H)I)K)M))))))))))))ɻ{wh1~!hm4|0JOJQJ^JmHnHuhS:h1~0JOJQJ^J%jhS:h1~0JOJQJU^JhS:h1~OJQJ^JhS:h1~5OJQJ^Jh1~5OJQJ^JhG|jhG|Uj9h'Uh'jh'Uhh'0J?)A)B)D)E)G)H)J)K)))))xgd' &dPgdw[1 9 0&P1h:p'/ =!"#$% 9Dd  S A^ http://www.digi.com/images/news/digi_2c_sm.gifDigi - 2 Colorb':g`xJ6Q;g!=aD n:g`xJ6Q;g!=aPNG  IHDRLE0PLTENfÙ/rLӳאcW'\bKGDH cmPPJCmp0712OmPIDATHǍkA1 041"&BU(R#E`ۃ=X5-M9KHkAJ.C@Mlf!Ay| Y.ݝY$IW$ ![0 "|e^CwV#Kʜ5$EȁȊԬ:eErYݲb+X>hƖ)鶱]ooJ킅EԊ#2htIl!B*7ťMOWU٫p:c2w}#?BɪI{(ˢӈHO!q -e t묄sg!+I;4I7fY4~A܇m}wa"0u }%t2ΉhNz]tWA5<\:X6_`p) mF(&]3;AKeƊW:Rlز}+%υ`%,VVI=Q?Ea|PA!x]@FQz'V[o' X^9̓OxMUm^;kuO,?%<vg m#َlR.#BFjzLj6lP}? v' rꤪ&Ҵ ءka838ojJ%Tfh2m1B6VDھϞm* TTV,ʕҢ]lQ&K PVH*DX J#QNgem N_k- {A.'%rhgV]wV"&IENDB`$$If!vh5M5$#vM#v$:Vl t065M5$T-Dd Sg gj0  # A",jmM(y>?fq, @=i,jmM(y>?f`H7,x} `Epu$$XDI#(r#WL!$(QPAP.!\r(zLJUWwjz;=àPz^:UB(;~ڌ]z9 vCC+Y%|͂0 08La8paOh @>emRO謄aYz + `>r<>H M84ʰ+fPOd`265o $|+|.@mu4@_UL]1]uVi\.deݱ,~RX!ccaVIPD+BFucĺ_-Rc(Ɔ2U^)+q$mphAʦh-t:̈́Maól!=ǜǜW8_,t :QpQa!EBB iu8cM8 _wqsVO?)<:B,C[/Zjև^rȈ/]n/0!fF@x Dž=т}D0OPݣQQWHٞ;;ѸpGOJ ΅Ti&< ƍ DFWRQz@zܑ](^l?"О_gZW-,W֭Qk&Ѕ'AlK7C+0P@j4] :VwC6qCWCB3,rcYm2}}9WUD[\ f'-!95]½c 'M+*ΚP5?;7?+07?;5qBi-2A٢~YEYSƑ+TpҼp7D#8DҼwNs- (Hzy4筲D ('NʆCݜ$Wi ?}8<8)-;-ol_5q̽'-)8kI4g^tΑ}߂C|(=c3Pµmǵ%%d9s۶QL~]lnHqXGU&.|yV"O3Uުj[pH]N1ON)voM|Q|SLӞ9aжegh8|DW* U{*9ܱ`3,;rIB%z%y')?&\ʒ*K< H3$Y'~Aima)\ #T_ee%?> mv2ylC 8hqSs[C&3{@^5dB?=Εg9 {L;sVg5=ì.Rku¢oV-Oϱ4烉Yg?1>klIt^l S2C=x l6tP'*dFBt K;pCJ`j=a>3O$傞¹%w(q'.'f*}RToͷrbiݽh"ǡkI6|晅%6)&=:AXۿ8>D$WNI8~mVdt;r\t t;0> wίzj1}a)\嗠ɐݘW>kG-zo))T mq8e[?)A >.yޠ5Ӗ=_C ;95!͠A`Icksk(|jM5T -c@Vo{?n˨+f /ü.,M1 7QSDOrmM\'u~%~%DL}%`@i2AJA>Z8=,T h>gr_YtNg}-L0g{ /V?)6? yxkڸ@P6U7\ *#(2/?dӅis%sZkV}6X\t/EnOZFL*EVoQC<]KؑaAIN t)Odvcokv[(D Yuvzܞ%dL" l/6dzҞxP68#Y}G+|u.YkmgZYmjmgZYmά~/p5Mλ$@I|=,sYn 3NKIƂ*gc.~{\`oJ uOgq?Y.ٸි ljͨ}j \W*K.mM4\t|='/L)!@_qD=מ<`'1 _9)\T[,o+%L桇xN&Mdћl:z|ߗ`8vћj;NfѰ;YŮSWd'VYہLF.ԅźS;Y/7lR9} '?8~bw?O#{C["''ZY!`k-xCwbWyfHmIzOFݞ6;k$Tm &l^:ZUvB=˚vwB2җCO9go?{]W3^Wﻞh|އ~{6S[ +{As/ִa2' +8uQv' _VE?-1O1K &%$BtH3;/@-C6yp8S'rlK-昘O?7szmTIAdO ĉM@Q.yn'BtFS~QCX?fxhB)=}^@ܜŞoH({a31&63X /|,ΌE$^mr >{[z=;o渑qmz4_iS<w 10WPV" >!C: Lv#Bf oaL7=w?O]-bu+iE9#JF6oCpKgp±RX8"@ܟJU;q;xnj1xe#klO܇]Q=E_W`>pLHܟL >NAzzݏ^WSOԬvU뚚붲z]4qn^8=)W[HǕ:8JgyTZf0ޜqn}R2j ߆ᯤ]f}4vj(`EdmCu!5ghcIݟ^}=m~M{,xT qo lA܌/֙6 )>ϑs:uvㅫN=f&}|c9&?Zzetf󯾜Jvxl֗f}8O@yj|T{9,ifOh"s"<;h4siڳ,JͳT{PEy>s)9{89O>MFE@矚ޏ(;g:[_9^z~ώ[ y*viq}!p@BUfZ_BUefVNy:_6gjԟ}*n}{.?ћdl\A.g\a%ɯp5+?sdzUs2{ D/C>΃0}CV} Sp)$#idbN)TF.\q$ DC.\* HF;t3_nj㏥>VLB[& mҩ}Gs'|63;_xeA2|oN̝tmN=LETULP;&asӡuV[VVfV9u*q{ͩ:t0u<P!_$\ҽ{weQd!_?i_dMːCeUd!_?i_d())1-C.a"C.9 eOexPa<?H䀴/2 <ش R!_?i_dHOO7-C y8Lן@oelx}Ӟ'}V=h]N,%θBqt<+;[ ұ]wXⅯ JIq<ۑ˩5;h<ۙ8CyzazSݿ*ۙbғcJ eqog[ޑ\>bo);~ \r:7ccZm>LXدgΔ!/gVVV/gopSUM-[IXu- ZJJ5)UM%&f?a mmHWU8/Cp2[I wTWQI݋SIt,\U̺:(&L+)N[Brjj{sN,"(k~vn~VVan~vkℂӈ' @yy lQB)YJska|g0z s褋c],xy* f<~Fcj:iY4yNbd?Iua\h9b Nbd'[V#؃[Pyv8Ut7#yVyU#um{yxީN Ȱ}h_?vcYj/~Ā6s%*%'T' h;-hh.V.6==n@[N i=A*AT hOhO6BZvv**T֣j@VEրS6wZHюTю4]]c@{ZE{ڀ6N i=1*1U hq||C*Ca֣c@DEĀmpwZHW7]]l@{\E{܀ӝҺvm܀ca֣OE{R)'UO LbgL=={Zvol<#%3ղ?xS<]u4Zv obutM}(߆T ZVo,O3K8}o(cM99 1-5IFlǤh]Zػ2zu0Mcz8g6ހv͖ЮWz-6b@Kf hiU6jczyn@ ޾Юw-9]l@[ƻo$޽}'ЎwqU7=jWTmvŀ7Uf@lqo3H&X,ŽZjК=:Ngfj%diN i{ ㍞#QwgO1k%ΛsD[N+a_y/ _52F{-{0m%qd.4@Wxd+QHmR!kU03dk_uafbrHc*B*phj`Cj ' Table Grid7:V0^oQ^ m4|Heading 3 Char*5CJOJQJ\^J_HaJmH sH tH !DY~  <U_$(Y5 - m & D  = > s  i Vl<t,F^x=N [zVa$JI>i ?!A!B!D!E!G!H!J!K!!!!0 000 0 (00 0 0 0 0(0000 0 0 0 0 0 0 00000000000000000000000000000000000000000000000000(0 0 0 0 0 0 0 0, 0, 0, 0 0 0 0 0 0 0 0 0 0 0  0  0  0  0  0  0V 0V 0 0(00$ 0$ 0$ 0$ 0$(0000@0ي00@0ي00@0ي00@0ي00@0@0ي00 Y~  <U_$(Y5 - m & D  = > s  i Vl<t,F^x=N [zVa$JI>i ?!!!0 000 0 (00 0 0 0 0(0000 0 0 0 0 0 00000000000000000000000000000000000000000000000000(0 0 0 0 0 0 0 0- 0- 0- 0 0 0 0 0 0 0 0 0 0 0  0  0 0 0 0  0W 0W 0 0(00% 0% 0% 0% 0%(0000 @0 0!0X XXXXX[ F$~()  ?))!)UWlD&9*l7 } !/!!>!0 >!>!!@UnknownGz Times New Roman5Symbol3& z Arial?5 z Courier New;Wingdings"1hH:&kcfkI<I<#4d/!/! 2QHX ?S:2Cisco Sample Config File: Bill Word Bill Word0        Oh+'0 $0 P \ h tCisco Sample Config File: Bill Word Normal.dot Bill Word6Microsoft Office Word@B@{@*@< I՜.+,D՜.+,T hp  Digi International</! Cisco Sample Config File: Title` 8@ _PID_HLINKSA6\B>../Local Settings/Temporary Internet Files/OLKA2/www.digi.com*y7http://www.digi.com/support/eservice/eservicelogin.jsp]F../Local Settings/Temporary Internet Files/OLKA2/www.digi.com/support3x3http://www.digi.com/products/wireless/cellular.jsp21 http://www.digi.com/support(! http://192.168.1.1/3x3http://www.digi.com/products/wireless/cellular.jsp21http://www.digi.com/supportV/http://www.digi.com/images/news/digi_2c_sm.gif  !"$%&'()*+,-./0123456789:;<=>?@BCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdeghijklmopqrstuxRoot Entry FPRL zData #:1TableAHWordDocument;DSummaryInformation(fDocumentSummaryInformation8nCompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89qRoot Entry F [@zData #:1TableAHWordDocument;D  !"$%&'()*+,-./0123456789:;<=>?@BCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdeghijklm~՜.+,D՜.+,T hp  Digi International</! Cisco Sample Config File: Title` 8@ _PID_HLINKSA6\B>../Local Settings/Temporary Internet Files/OLKA2/www.digi.com*y7http://www.digi.com/support/eservice/eservicelogin.jsp]F../Local Settings/Temporary Internet Files/OLKA2/www.digi.com/support3x3http://www.digi.com/products/wireless/cellular.jsp21 http://www.digi.com/support(! http://192.168.1.1/3x3http://www.digi.com/products/wireless/cellular.jsp21http://www.digi.com/supportV/http://www.digi.com/images/news/digi_2c_sm.gifSummaryInformation(fDocumentSummaryInformation8}CompObjq