User`s guide

ManualsBrandsDigi ManualsComputer equipmentTransPort WR44v2

201

202

203

204

205

206

207

208

209

210

The name of a X.509 certificate file holding the router’s private part of the public/private

key pair used in certificate exchanges. See ‘X.509 Certificates’ in the ‘IPsec and VPNs’

section for further explanation.

SA Removal Mode

Determines how IPsec and IKE SAs are removed.

‘Normal’ operation will not delete the IKE SA when all the IPsec SAs that were created by it

are removed and will not remove IPsec SAs when the IKE SA that was used to create them

is deleted.

‘Remove IKE SA when last IPSec SA removed’ will delete the IKE SA when all the IPsec SAs

that it created to a particular peer are removed.

‘Remove IPSec SAs when IKE SA removed’ will delete all IPSec SAs that have been created

by the IKE SA that has been removed.

‘Both’ will remove IPSec SAs when their IKE SA is deleted, and delete IKE SAs when their

IPSec SAs are removed.

Related CLI Commands

Entity

Instance

Parameter

Values

Equivalent Web Parameter

ike 0 inactto 0 – 255

Stop IKE negotiation if no packet

received for n seconds

ike 0 natt on, off Enable NAT-Traversal

ike 0 initialcontact on, off

Send INITIAL-CONTACT

notifications

ike 0 respltime on, off

Send RESPONDER-LIFETIME

notifications

ike 0 keepph1 on, off

Retain phase 1 SA after failed

phase 2 negotiation

ike 0 privrsakey Filename RSA private key file

ike 0 delmode

0 = Normal

1 = Remove IKE

SA when last IPsec

SA removed

2 = Remove IPsec

SAs when IKE SA

remove

3 = Both

SA Removal Mode

MODECFG Static NAT mappings

Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE>

MODECFG Static NAT mappings

MODECFG is an extra stage built into IKE negotiations that fits between IKE phase 1 and

IKE phase 2, and is used to perform operations such as extended authentication (XAUTH)

and requesting an IP address from the host. This IP address becomes the source address to

use when sending packets through the tunnel from the remote to the host. This mode of

operation (receiving one IP address from the remote host) is called “client” mode. Another

mode, called “network” mode, allows the unit to send packets with a range of source

addresses through the tunnel.