ࡱ> oqn` O bjbjss 4:V"""8","4'C20#^####$$$BBBBBBB$YDhFB$$$$$B##B)))$P##B)$B))@A#$# p|"&@bBDB0'C@AG(AG,AAGA$$)$$$$$BB})p$$$'C$$$$    INCLUDEPICTURE "http://www.digi.com/images/news/digi_2c_sm.gif" \* MERGEFORMATINET Digi Connect WAN Application Guide: Configure a VPN between Cisco PIX and the Digi Connect WANIntroduction This is an example configuration of configuring an IPsec VPN tunnel from a Digi Cellular VPN device, such as a ConnectPort WAN VPN, to a Cisco PIX-based firewall. Sections in this document are: Example diagram and VPN parameters used. Cisco VPN configuration settings. Knowledge of Cisco PIX is assumed and required. Digi does not provide support for non-Digi device configuration. Embedded notes help describe the settings. Digi cellular devices IPsec WebUI configuration Testing and basic troubleshooting 1. Example Diagram and VPN Parameters  VPN Parameters: Identity: Mobile IP address Pre-Shared Key: 1s3d4f5g Main mode Encryption/Hash transforms: 3des/md5; des/MD5 Diffie-Helman Group: 2, Perfect-Forward Secrecy (PFS) enabled SA Lifetime 86400 seconds. 2. Cisco Sample Config File: This configuration file describes how to setup a configuration to create a peer to peer VPN connection with a Digi Connect VPN. The configuration below is for a Cisco PIX which is at the factory default settings. ! First clear the default security settings from the Cisco PIX clear crypto ipsec sa clear crypto isakmp sa clear crypto ipsec trans clear crypto map clear crypto dyn clear isakmp clear access-list ! Clear the IP addresses and routes. no ip address outside no ip address inside no dhcpd address inside ! Add the new IP address and route information ip address outside 209.123.123.123 255.255.255.0 ip address inside 172.10.20.1 255.255.255.0 route outside 0.0.0.0 0.0.0.0 70.57.159.158 1 dhcpd address 172.10.20.2-172.10.20.33 inside ! Add the VPN and security settings access-list 122 permit ip 172.10.20.0 255.255.255.0 192.168.1.0 255.255.255.0 crypto ipsec transform-set fwConfigTset esp-3des esp-md5-hmac crypto dynamic-map fwConfigDynMap 222 match address 122 crypto dynamic-map fwConfigDynMap 222 set pfs group2 crypto dynamic-map fwConfigDynMap 222 set transform-set fwConfigTset crypto map fwConfigMapToDyn 223 ipsec-isakmp dynamic fwConfigDynMap crypto map fwConfigMapToDyn interface outside isakmp enable outside isakmp key 1s3d4f5g address 0.0.0.0 netmask 0.0.0.0 no-xauth isakmp policy 222 authentication pre-share isakmp policy 222 encryption 3des isakmp policy 222 hash md5 isakmp policy 222 group 2 isakmp policy 222 lifetime 86400 nat (inside) 0 access-list 122 3. Digi VPN Config: Using a browser, access the Digis WebUI (e.g.  HYPERLINK "http://192.168.1.1" http://192.168.1.1) In the left column, select Configuration -> Network Select the Virtual Private Network (VPN) Settings link in the middle of the page. Select the first link ("VPN Settings") Identity: select "Use the Mobile IP address as the identity" General Security Settings "Connection Mode": Main "Diffie-Hellman": Group 2 Check to "Enable Perfect Forward Secrecy (PFS)" Under Internet Key Exchange (IKE) Security Settings Select "Use the following policies to negotiate Internet Key Exchange (IKE) security settings" Remove any items Select 3DES and MD5 for Encryption and Authentication. Leave the SA Lifetime at 86400. Click "Add". Select DES and MD5. Leave the SA Lifetime value at 86400. Click Add. Click Apply Select "VPN Tunnel Settings" link just below the Apply button. (Make sure you clicked the Apply button as mentioned above or your changes will be lost). Remove any unneeded tunnels by selecting the "delete" link. Click "Add" to add a new tunnel Enter the WAN IP address or hostname of the Cisco router at the other end of the tunnel, in this example 209.123.123.123. The IP address must usually be a public IP address reachable from the wireless address of the Digi Connect unit. Under "VPN Tunnel:" Select "ISAKMP" Under the heading: "Tunnel Network Traffic FROM the following Local Network": Verify the IP address corresponds to the subnet of the local Ethernet address (in this case 192.168.1.0/255.255.255.0). If the address is not the same, change the local Ethernet IP address/subnet to the proper address under the Configuration->Network link on the left side of the page. Verify the subnet mask is appropriate for the tunnel you want to create. Note that the IP address and subnet mask define the SOURCE address range for traffic that will be sent through the tunnel from the remote network. Under the heading "Tunnel Network Traffic TO the following Remote Network" Enter the IP address of the network that the data will be flowing TO. This is the network part of the address that is defined on the LOCAL side of the Cisco Router. In this case 172.10.20.0. Enter the appropriate Subnet Mask that defines the LOCAL side of the Cisco PIX in this case 255.255.255.0. Click Apply to save the information. The Digi VPN configuration is now complete. 4. Testing and Basic Troubleshooting Note the tunnel does not come up automatically. You can attempt to make the tunnel come up by selecting the "Administration > System Information" Select the Diagnostics link at the bottom of the page. Enter an IP address of a host on remote end of the tunnel (the local side of the Cisco router), e.g. 172.10.20.1. The IP address needs to be an actual interface IP address. Click on the Ping button. Wait for the connection to respond correctly. If you do not get a valid response, verify that the IP address is pingable (not filtering ICMP). Check the Cisco PIX logs. (As of this writing the Digi has no VPN logs. You can check the status from the command line via the display vpn command. 5. Where to Get More Information Refer to the Digi Connect WAN user documentation and Digi technical support website at  HYPERLINK "www.digi.com/support " www.digi.com/support for more information. Technical assistance is available at  HYPERLINK "http://www.digi.com/support/eservice/eservicelogin.jsp" http://www.digi.com/support/eservice/eservicelogin.jsp. For sales and product information, please contact Digi International at 952-912-3444 or via  HYPERLINK "www.digi.com" www.digi.com.     Sample Cisco PIX to Digi Connect / ConnectPort VPN Config pg  PAGE 1 VYZZ ] d l m s t , 4 5 ? I Y _ ` c l ļļ h1~hZjhhD^< hZjhZjhZjhZj5jih1~h1~UhZjh[hh,h|ihVzh?h5OJQJ^J#h?h5CJ OJQJ^JaJ jhUh8ZWkd9$$IfTl0 M$ t644 laT $$Ifa$gd] $Ifgd]N  t  5 ?  & FgdZjgd[gd[ & FgdZjgdVzgdS:Ykd$$IfTl~0 M$ t644 laT? m  ' @ Q b o Lxgd,gdS:gd1~gdS: & FgdD^< % AKQg˽ˬ˽˛ˬˬ˽˛yuqmih|ihibhhZj hX(hX(CJOJQJ^JaJ hX(h,CJOJQJ^JaJ h,hX(CJOJQJ^JaJ h,h,CJOJQJ^JaJhX(CJOJQJ^JaJh,CJOJQJ^JaJ hS:hS:CJOJQJ^JaJ h1~hS:h, h1~h1~hS:)H8|(Je:r*D & FxgdD^<gdS:gd,#$%78:OUVcegipqy~D[\u|~;KLTck~35QrWX2Sh&hlqhw[1hD^<h|ihFvh0Jj3hUjhUhS:hOD\v;L YxT_xgdlq & Fxgdlq & FxgdD^< & FxgdD^< & FgdSD^4C(1o Jk}"yz567mn   解h]jh]Uj-6h]UjN5h]Uhh0JjE4h]UjhU hhhh&hhX(hlqhS:>D j"p    L M N O &dPgdw[1gdxgd & Fxgdlqxgdlqgdlq    = A B H I J K L M N O ƷƦ梞hh]h!h0JOJQJ^JmHnHuhS:h0JOJQJ^J%jhS:h0JOJQJU^JhS:hOJQJ^JhS:h5OJQJ^Jh5OJQJ^J21h:pw[1/ =!"#$% 9Dd  S A^ http://www.digi.com/images/news/digi_2c_sm.gifDigi - 2 Colorb':g`xJ6Q;g!=aDjn:g`xJ6Q;g!=aPNG  IHDRLE0PLTENfÙ/rLӳאcW'\bKGDH cmPPJCmp0712OmPIDATHǍkA1 041"&BU(R#E`ۃ=X5-M9KHkAJ.C@Mlf!Ay| Y.ݝY$IW$ ![0 "|e^CwV#Kʜ5$EȁȊԬ:eErYݲb+X>hƖ)鶱]ooJ킅EԊ#2htIl!B*7ťMOWU٫p:c2w}#?BɪI{(ˢӈHO!q -e t묄sg!+I;4I7fY4~A܇m}wa"0u }%t2ΉhNz]tWA5<\:X6_`p) mF(&]3;AKeƊW:Rlز}+%υ`%,VVI=Q?Ea|PA!x]@FQz'V[o' X^9̓OxMUm^;kuO,?%<vg m#َlR.#BFjzLj6lP}? v' rꤪ&Ҵ ءka838ojJ%Tfh2m1B6VDھϞm* TTV,ʕҢ]lQ&K PVH*DX J#QNgem N_k- {A.'%rhgV]wV"&IENDB`$$If!vh5M5$#vM#v$:Vl t065M5$T$$If!vh5M5$#vM#v$:Vl~ t065M5$T-Dd Sg "0  # A",jmM(y>?fq,j@=i,jmM(y>?f`H7,x} `Epu$$XDI#(r#WL!$(QPAP.!\r(zLJUWwjz;=àPz^:UB(;~ڌ]z9 vCC+Y%|͂0 08La8paOh @>emRO謄aYz + `>r<>H M84ʰ+fPOd`265o $|+|.@mu4@_UL]1]uVi\.deݱ,~RX!ccaVIPD+BFucĺ_-Rc(Ɔ2U^)+q$mphAʦh-t:̈́Maól!=ǜǜW8_,t :QpQa!EBB iu8cM8 _wqsVO?)<:B,C[/Zjև^rȈ/]n/0!fF@x Dž=т}D0OPݣQQWHٞ;;ѸpGOJ ΅Ti&< ƍ DFWRQz@zܑ](^l?"О_gZW-,W֭Qk&Ѕ'AlK7C+0P@j4] :VwC6qCWCB3,rcYm2}}9WUD[\ f'-!95]½c 'M+*ΚP5?;7?+07?;5qBi-2A٢~YEYSƑ+TpҼp7D#8DҼwNs- (Hzy4筲D ('NʆCݜ$Wi ?}8<8)-;-ol_5q̽'-)8kI4g^tΑ}߂C|(=c3Pµmǵ%%d9s۶QL~]lnHqXGU&.|yV"O3Uުj[pH]N1ON)voM|Q|SLӞ9aжegh8|DW* U{*9ܱ`3,;rIB%z%y')?&\ʒ*K< H3$Y'~Aima)\ #T_ee%?> mv2ylC 8hqSs[C&3{@^5dB?=Εg9 {L;sVg5=ì.Rku¢oV-Oϱ4烉Yg?1>klIt^l S2C=x l6tP'*dFBt K;pCJ`j=a>3O$傞¹%w(q'.'f*}RToͷrbiݽh"ǡkI6|晅%6)&=:AXۿ8>D$WNI8~mVdt;r\t t;0> wίzj1}a)\嗠ɐݘW>kG-zo))T mq8e[?)A >.yޠ5Ӗ=_C ;95!͠A`Icksk(|jM5T -c@Vo{?n˨+f /ü.,M1 7QSDOrmM\'u~%~%DL}%`@i2AJA>Z8=,T h>gr_YtNg}-L0g{ /V?)6? yxkڸ@P6U7\ *#(2/?dӅis%sZkV}6X\t/EnOZFL*EVoQC<]KؑaAIN t)Odvcokv[(D Yuvzܞ%dL" l/6dzҞxP68#Y}G+|u.YkmgZYmjmgZYmά~/p5Mλ$@I|=,sYn 3NKIƂ*gc.~{\`oJ uOgq?Y.ٸි ljͨ}j \W*K.mM4\t|='/L)!@_qD=מ<`'1 _9)\T[,o+%L桇xN&Mdћl:z|ߗ`8vћj;NfѰ;YŮSWd'VYہLF.ԅźS;Y/7lR9} '?8~bw?O#{C["''ZY!`k-xCwbWyfHmIzOFݞ6;k$Tm &l^:ZUvB=˚vwB2җCO9go?{]W3^Wﻞh|އ~{6S[ +{As/ִa2' +8uQv' _VE?-1O1K &%$BtH3;/@-C6yp8S'rlK-昘O?7szmTIAdO ĉM@Q.yn'BtFS~QCX?fxhB)=}^@ܜŞoH({a31&63X /|,ΌE$^mr >{[z=;o渑qmz4_iS<w 10WPV" >!C: Lv#Bf oaL7=w?O]-bu+iE9#JF6oCpKgp±RX8"@ܟJU;q;xnj1xe#klO܇]Q=E_W`>pLHܟL >NAzzݏ^WSOԬvU뚚붲z]4qn^8=)W[HǕ:8JgyTZf0ޜqn}R2j ߆ᯤ]f}4vj(`EdmCu!5ghcIݟ^}=m~M{,xT qo lA܌/֙6 )>ϑs:uvㅫN=f&}|c9&?Zzetf󯾜Jvxl֗f}8O@yj|T{9,ifOh"s"<;h4siڳ,JͳT{PEy>s)9{89O>MFE@矚ޏ(;g:[_9^z~ώ[ y*viq}!p@BUfZ_BUefVNy:_6gjԟ}*n}{.?ћdl\A.g\a%ɯp5+?sdzUs2{ D/C>΃0}CV} Sp)$#idbN)TF.\q$ DC.\* HF;t3_nj㏥>VLB[& mҩ}Gs'|63;_xeA2|oN̝tmN=LETULP;&asӡuV[VVfV9u*q{ͩ:t0u<P!_$\ҽ{weQd!_?i_dMːCeUd!_?i_d())1-C.a"C.9 eOexPa<?H䀴/2 <ش R!_?i_dHOO7-C y8Lן@oelx}Ӟ'}V=h]N,%θBqt<+;[ ұ]wXⅯ JIq<ۑ˩5;h<ۙ8CyzazSݿ*ۙbғcJ eqog[ޑ\>bo);~ \r:7ccZm>LXدgΔ!/gVVV/gopSUM-[IXu- ZJJ5)UM%&f?a mmHWU8/Cp2[I wTWQI݋SIt,\U̺:(&L+)N[Brjj{sN,"(k~vn~VVan~vkℂӈ' @yy lQB)YJska|g0z s褋c],xy* f<~Fcj:iY4yNbd?Iua\h9b Nbd'[V#؃[Pyv8Ut7#yVyU#um{yxީN Ȱ}h_?vcYj/~Ā6s%*%'T' h;-hh.V.6==n@[N i=A*AT hOhO6BZvv**T֣j@VEրS6wZHюTю4]]c@{ZE{ڀ6N i=1*1U hq||C*Ca֣c@DEĀmpwZHW7]]l@{\E{܀ӝҺvm܀ca֣OE{R)'UO LbgL=={Zvol<#%3ղ?xS<]u4Zv obutM}(߆T ZVo,O3K8}o(cM99 1-5IFlǤh]Zػ2zu0Mcz8g6ހv͖ЮWz-6b@Kf hiU6jczyn@ ޾Юw-9]l@[ƻo$޽}'ЎwqU7=jWTmvŀ7Uf@lqo3H&X,ŽZjК=:Ngfj%diN i{ ㍞#QwgO1k%ΛsD[N+a_y/ _52F{-{0m%qd.4@Wxd+QHmR!kU03dk_uafbrHc*B*phj@Cj  Table Grid7:V0O:Zt5?m'@QboLxH8|( J e  : r * D \ v ; L   YxT_D j"pLMP00 000 0 000 (00 0 0 0 0(0000 0 0 0 0 0 0(000000000000000000000000000000000000000000(0 0  0  0  0  0  0  0*  0*  0*  0  0  0  0  0  0  0  0  0  0  0  0  0   0   0   0  0T  0T  0 0 (00 0 0 0 0 00(000@0h00@0h00@0h00@0h00@0@0h00Zt5?m'@QboLxH8|( J e  : r * D \ v ; L   YxT_D j"pLP00 000 0 0 00 *00 0 0 0 0*0000 0 0 0 0 0 0*000000000000000000000000000000000000000000*0 0  0  0  0  0  0  0*  0*  0*  0  0  0  0  0  0  0  0  0  0  0  0  0   0   0   0  0T  0T  0 0 *00 0 0 0 0 0j0I0*@0j0M0 0 @0 00U UUUUUX S O ? DO N VX $ 7 y6mOCXXXXIPRX!8@0(  B S  ?mz  #$&49^ahnLNOTco+7CSXdm{ ( . J P e k  ] c KSyMP',@EQVbgotLNx}HN8>| ( . J P e k  yMP33333333333333333333333333333 8 4Cz}MPyMPzS %$(^u0戦EB*3-,a-3h7g9 ^h ^`o(hH.h^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh ^`hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh ^`hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH.h ^`o(hH.h^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`CJOJQJhHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH-3hu0g9za,aaBa%$S                                                               X(U[w[1S:D^<R9|iZj-klq1{1~&]$h|iuVzI,^MGibZP@+CO@UnknownGz Times New Roman5Symbol3& z Arial?5 z Courier New;Wingdings"1h[R[Rcfe +e +#4d 2QHX ?S:2Cisco Sample Config File: Bill Word Digi User,       Oh+'0 $0 P \ h tCisco Sample Config File: Bill Word Normal.dot Digi User2Microsoft Office Word@F#@{@ @ e՜.+,D՜.+,T hp  Digi International+  Cisco Sample Config File: Titleh 8@ _PID_HLINKSA sm D../../../Local Settings/Temporary Internet Files/OLKA2/www.digi.com *y 7http://www.digi.com/support/eservice/eservicelogin.jsp r5L../../../Local Settings/Temporary Internet Files/OLKA2/www.digi.com/support (!http://192.168.1.1/ W/http://www.digi.com/images/news/digi_2c_sm.gif   !"#$%&'()*+,-./0123456789;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]_`abcdeghijklmpRoot Entry F0JrData &71Table:mGWordDocument4:SummaryInformation(^DocumentSummaryInformation8fCompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89q