User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

191

192

193

194

195

196

197

198

199

200

198

IPsec Default Action

Configuration – Network > Virtual Private Network (VPN)>IPsec> IPsec Default

Action

Like a normal IP routing set-up, IPSec Tunnels have a default configuration that is applied if

no specific tunnel can be found. This is useful when, for instance, you wish to have a

number of remote users connect via a secure channel (perhaps to access company financial

information) but also still allow general remote access to other specific servers on your

network or the Internet.

When a packet is received which does not match any IPsec tunnel

How the router will respond if a packet is received when there is no SA.

If “Drop the packet” is selected then only packets that match a specified IPsec tunnel will be

routed, all other data will be discarded. This has the effect of enforcing a secure connection

to all devices behind the router.

If “Pass the packet” is selected then packets that match an IPsec tunnel will be decrypted

and authenticated (depending on the IPsec tunnel’s configuration) but data that does not

match will also be allowed to pass.

When a packet is to be transmitted which does not match any IPsec tunnel

How the router will respond if a packet is transmitted when there is no SA.

If “Drop the packet” is selected then only packets that match a specified IPsec tunnel will be

routed, all other data will be discarded.

If “Pass the packet” is selected then data that matches an IPsec tunnel will be encrypted

and authenticated (depending on the IPsec tunnel configuration) but data that does not

match will also be allowed to pass.

Related CLI Commands

Entity

Instance

Parameter

Values

Equivalent Web Parameter

def_eroute 0 nosain drop, pass

When a packet is received which

does not match any IPsec tunnel

def_eroute 0 nosaout drop, pass

When a packet is to be

transmitted which does not

match any IPsec tunnel

IPsec Groups

Configuration – Network > Virtual Private Network (VPN)>IPsec> IPsec Groups

This mode of operation can be used when the router is terminating tunnels to a large

number of remote devices e.g. when being used as a VPN Concentrator. To keep the size of

the configuration file in the router small and also to maintain ease of configuration, only the

information that is used for all tunnels is stored on the router. All other information that is

site specific is stored in a MySQL database. This means the number of sites that can be

configured is limited only by the SQL database size and performance. This will be literally

millions of sites depending upon the operating system and hardware of the MySQL PC. The

number of sites that can be connected to concurrently are much smaller and limited by the

model of the router.