User manual

ManualsBrandsDigi ManualsSoftwareNetwork Router 90000566_H

231

232

233

234

235

236

237

238

239

240

set vpn

Chapter 2 Command Descriptions 231

Options Global VPN options

set vpn global

Specifies that the “set vpn” command is for setting global VPN options.

mode={main|aggressive}

The method used to negotiate Internet Key Exchange (IKE) Phase One

using Internet Security Association and Key Management Protocol

(ISAKMP). Negotiations establish security settings and a secure channel

for subsequent messages. For the negotiations to progress, both sides

must be configured identically.

main

Main mode processes Phase One negotiations using three two-way

exchanges between the VPN client and remote VPN endpoint. The

exchanges are meant to match IKE Security Associations (SA)

between peers to provide a protected pipe for subsequent protected

ISAKMP exchanges between the peers. The first exchange negotiates

and agrees upon algorithms and hashes/keys used to secure the IKE

communications. The second exchange uses a Diffie-Hellman

exchange, per the specified Diffie-Hellman group, to generate nonces

and shared secret keys to sign and prove identities. The third

exchange verifies the identity per the specified Identity.

aggressive

Aggressive mode processes Phase One negotiations using fewer

exchanges than Main Mode processing. In the first exchange, almost

everything is sent in the proposed IKE values, including the Diffie-

Hellman key, nonce to sign and verify, and the identity. The weakness

of using Aggressive Mode compared to Main Mode is that negotiations

exchange information before the secure channel is created. However,

because fewer exchanges are used, aggressive mode is faster than

main mode. Aggressive mode may be required when a peer gateway

IP address is dynamic.

The default is “main.”

identity={fqdn|user fqdn|ip address}

Specifies how the VPN client is identified to the remote VPN endpoint.

The identity must match the value provided by the remote VPN endpoint

to properly identify this client and its respective security settings. This

option assumes the use of pre-shared key and is used to identify the pre-

shared key. This option can be specified in three ways:

identity=fqdn

Identity is specified as a Fully Qualified Domain Name (FQDN),

usually the FQDN of the Digi Connect device in the form of an Internet

hostname, for example www.myhost.com or remote3.digi.com.

identity=user fqdn

Identity is specified as a User Fully Qualified Name (UFQN, or User

FQDN). A User FQDN is similar to standard FQDN, but with a user

name. The format is the same as an email address, for example,

user@myhost.com or remote3@digi.com. This is the default

representation used by Digi devices, because it can easily be added

to authentication systems.