User`s guide
199
Basic Concept
The router with the IPsec Group/MySQL configuration will be the VPN Concentrator. The
remote sites will normally not require an IPsec group configuration as they will normally
only need to connect to a single peer, the VPN Concentrator. The VPN Concentrator will
normally need only a single IPsec group configured. The local and remote subnet
parameters need to be set up wide enough to encompass all the local and remote networks.
The VPN Concentrator can act as an initiator and/or a responder. In situations where there
are more remote sites than the Digi can support concurrent sessions, it will normally be
necessary for the VPN Concentrator and the remote sites to be both an initiator and a
responder. This is so that both the remote sites and the head-end can initiate the IPsec
session when required. Note that it is also important to configure the IPsec tunnels to time
out on inactivity to free up sessions for other sites. In the case of the VPN Concentrator
acting as an initiator, when it receives a packet that matches the main IPsec tunnel, if no
Security Associations already exist it will look up the required parameters in the database.
The TransPort will then create a "Dynamic IP Tunnel" containing all the settings from the
base IPsec tunnel and all the information retrieved from the database. At this point IKE will
create the tunnel (IPsec security associations) as normal. The dynamic IPsec tunnel will
continue to exist until all the IPsec Security Associations have been removed. At the point
where the maximum supported (or licensed) number of tunnels has been reached by the
router, the oldest Dynamic IPsec tunnels (those that have not been used for the longest
period of time) and their associated IPsec Security Associations will be dropped to allow new
inbound VPNs to connect.
Logic flow - creation of IPSec SAs
VPN Concentrator acting as initiator
The VPN Concentrator will normally act as an initiator when it receives an IP packet for
routing with a source address matching the IPsec tunnel local subnet address & mask and a
destination address matching the remote subnet address & mask (providing that an IPsec
SA does not already exist for this site.)
If an IPsec group is configured to use the matching IPsec tunnel, the router will use a
MySQL query to obtain the site specific information in order to create the SA's. The VPN
Concentrator will create a SELECT query using the destination IP address of the packet and
the mask configured in the IPsec group configuration to determine the remote subnet
address. (This means that the remote subnet mask must be the same on all sites using the
current IPsec group.) Once the site specific information has been retrieved, the router
creates a 'dynamic' IPsec Tunnel which is based upon the base IPSec tunnel configuration
plus the site specific information from the MySQL database. The router can then use the
completed IPsec tunnel configuration and IKE to create the IPsec SAs. For the pre-shared
key, IKE will use the password returned from the MySQL database rather than doing a local
look up in the user configuration. Once created, the SAs are linked with the dynamic IPsec
tunnel. Replacement SAs are created as the lifetimes start to get low and traffic is still
flowing. When all SAs to this remote router are removed, the dynamic IPsec tunnel will also
be removed so that IPsec tunnel can then be re-used to create tunnels to other remote
sites. When processing outgoing packets, dynamic IPsec Tunnels are searched before base
IPsec tunnels. So, if a matching dynamic IPsec tunnel is found, it is used, and the base
IPsec tunnel is only matched if no dynamic IPsec tunnel exists. Once the dynamic IPsec
tunnel is removed, further outgoing packets will match the base IPsec tunnel and the
process is repeated.