User manual

ManualsBrandsDigi ManualsSoftwareNetwork Router 90000566_H

231

232

233

234

235

236

237

238

239

240

set vpn

232 Chapter 2 Command Descriptions

identity=ip-address

Identity is specified as the Digi device’s IP address. Using this method,

you can specify either of the following:

The Network Address (IPv4): A standard IP address (version 4). that

uses the standard IPv4 dotted format (four numeric values between 0

and 255 separated by periods). For example: 10.0.0.1

The Mobile IP address as the identity: This means that the IP

address of your mobile network interface will automatically be used as

the VPN identity.

The IP-address method is the easiest for system administrators to use,

because it is both familiar and should be unique. However, it is not

always the best choice. The IP address may be for the device, unless

special arrangements are made with the cellular carrier. This presents

a difficult configuration issue, unless a large subnet of addresses are

defined to use a single pre-shared key.

The default identify form is “macaddress@digi.com.”

dh_group={1|2|5}

The Diffie-Hellman (DH) prime modulus group. Diffie-Hellman is a public-

key cryptography protocol for establishing a shared secret over an

insecure communications channel. Diffie-Hellman is used with IKE to

establish the session keys that create a secure channel. This setting is

used if Perfect Forward Secrecy is also enabled (“pfs=on.”)

Digi Cellular Family products support the following Diffie-Hellman prime

modulus groups:

dh_group=1

Group 1 (768-bit).

dh_group=2

Group 2 (1024-bit).

dh_group=5

Group 5 (1536-bit).

The default is 2 (Group 2).

pfs={on|off}]

Specifies whether the Perfect Forward Secrecy (PFS) method is on or off.

PFS is a method of deriving session keys from known keying material.

PFS establishes greater resistance to cryptographic attacks by ensuring

that a given key of an IKE SA is not derived from any other secret, and

that no other key can be derived from this key.

For negotiations to succeed, both the local and remote sides of the

connection must have the “pfs” and “dh_group” options set to the same

values.

The default is “on.”