User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR41

201

202

203

204

205

206

207

208

209

210

209

Related CLI Commands

Entity

Instance

Parameter

Values

Equivalent Web Parameter

ike 0 inactto 0 – 255

Stop IKE negotiation if no packet

received for n seconds

ike 0 natt on, off Enable NAT-Traversal

ike 0 initialcontact on, off

Send INITIAL-CONTACT

notifications

ike 0 respltime on, off

Send RESPONDER-LIFETIME

notifications

ike 0 keepph1 on, off

Retain phase 1 SA after failed

phase 2 negotiation

ike 0 privrsakey Filename RSA private key file

ike 0 delmode

0 = Normal

1 = Remove IKE

SA when last IPsec

SA removed

2 = Remove IPsec

SAs when IKE SA

remove

3 = Both

SA Removal Mode

Configuration – Network > Virtual Private Networking (VPN) > IPsec > IKE

> MODECFG Static NAT mappings

MODECFG is an extra stage built into IKE negotiations that fits between IKE phase 1 and

IKE phase 2, and is used to perform operations such as extended authentication (XAUTH)

and requesting an IP address from the host. This IP address becomes the source address to

use when sending packets through the tunnel from the remote to the host. This mode of

operation (receiving one IP address from the remote host) is called “client” mode. Another

mode, called “network” mode, allows the unit to send packets with a range of source

addresses through the tunnel.

If the unit receives packets from a local interface that need to be routed through the tunnel,

it performs address translation so that the source address matches the assigned IP address

before encrypting using the negotiated SA. Some state information is retained so that

packets coming in the opposite direction with matching addresses/ports can have their

destination address set to the source address of the original packet (in the same way as

standard NAT).

If the remote end of the tunnel is to be able to access units connected to the local interface,

the unit that has been assigned the virtual IP address needs to have some static NAT

entries set up. When a packet is received through the tunnel, the unit will first look up

existing NAT entries, followed by static NAT entries to see if the destination address/port

should be modified, and forwards the packet to the new address. If a static NAT mapping is

found, the unit creates a dynamic NAT entry that will be used for the duration of the

connection. If no dynamic or stateful entry is found, the packet is directed to the local

protocol handlers.