set vpn

Purpose

Configures Virtual Private Network (VPN) settings.

Using the web interface to configure VPN settings is recommended instead of this command as it is generally easier to configure settings through that interface. Go to
Configuration > Network > Virtual Private Network (VPN) Settings.

If you need to configure the VPN settings using scripts, use the set vpn command.

Virtual Private Networks (VPN) are used to securely connect two private networks together so that devices may connect from one network to the other network using secure channels. VPN uses IP Security (IPSec) technology to protect the transferring of data over the Internet Protocol (IP). The Digi device is responsible for handling the routing between networks. Devices within the private network of the Digi device can connect directly to devices on the other private network to which the VPN tunnel is established. The VPN tunnels are configured using various security settings and methods to ensure the networks are secured.

There are several uses of the set vpn command:

Required permissions

For Digi products with two or more users, to use this command, permissions must be set to set permissions s-vpn=read to display settings, and set permissions s-vpn=rw to display and configure settings. See set permissions for details on setting user permissions for commands.

Syntax

Basic syntax

The basic syntax for set vpn is:

set vpn [options...]

Where options are keywords that identify groups of VPN options:

[global] [tunnel] [phase1] [phase2] [interface]

Syntax for each group of settings follow.

Configure VPN global options

set vpn global [options...]

Where options are:

    antireplay={on|off}
    suppress_phase1_lifetimes={on|off}
    suppress_delete_sa_for_pfs={on|off}
    send_natt_draft_01_id={on|off}
    send_natt_draft_02_id={on|off}
    send_natt_draft_03_id={on|off}
    dynamic_dns={on|off}

Configure VPN tunnels 

set vpn tunnel [options...] [manually-keyed options...]|
  [isakmp options]..]

Where options are:

    tunnel=1-5
    name=tunnel name
    newname=tunnel name
    mode={disabled|manually-keyed|isakmp}
    autostart={disabled|enabled}
    host_mode={disabled|enabled}
    host_mode_security={disabled|enabled}
    host_address=ip address
    interface={eth0|mobile0}
    remote_peer_address={fqdn|ip address}
    remote_tunnel_addr=ip address
    remote_tunnel_mask=subnet mask
    remote_tunnel_range=ip address-ip address 
    local_tunnel_addr=ip address
    local_tunnel_mask=subnet mask

Where manually-keyed options (mode=manually-keyed) are:

    inbound_spi=256-2^32
    inbound_authentication={none|md5|sha1}
    inbound_auth_key={ascii key|hex key}
    inbound_encryption={none|des|3des|aes}
    inbound_enc_key=ascii key|hex key 
    outbound_spi=256-2^32 
    outbound_authentication={none|md5|sha1}
    outbound_auth_key=(ascii key|hex key)
    outbound_encryption={none|des|3des|aes}
    outbound_enc_key={ascii key|hex key}

and isakmp options (mode=isakmp) are:

    remote_peer_id={fqdn|ip address|username}
    shared_key={ascii key|hex key}
    aggressive_mode={disabled|enabled}
    natt_enable={disabled|enabled}
    natt_ka_interval=5-255
    pfs={disabled|enabled}
    dh_group_phase2={1|2|5|14}

Note For proposals, see syntax for Show VPN IKE/ISAKMP SA Phase 1 options for tunnels (set vpn phase2).

Display VPN tunnel configuration settings

See syntax for Show VPN IKE/ISAKMP SA Phase 1 options for tunnels.

Set IKE/ISAKMP SA Phase 1 Options

set vpn phase1 [options...]

Where options are:

    tunnel=1-5
    name=tunnel name 
    proposal=1-2  
    state={disabled|enabled}
    auth_method={shared_key|dsa_sig|rsa_sig}
    authentication={md5|sha1}
    encryption={des|3des|aes}
    encryption_size={0|128|192|256} (bits)
    sa_lifetime=10-2^32 (seconds)
    sa_lifetime_data=0-2^32 (kilobytes)
    diffie_hellman_group={1|2|5|14}

Display IKE/ISAKMP SA Phase 1 Options

See Show VPN IKE/ISAKMP SA Phase 1 options for tunnels.

Set IKE/ISAKMP SA Phase 2 Options

set vpn phase2 [options...]

Where options are:

    tunnel=1-5
    name=tunnel name
    proposal=1-8   
    state={disabled|enabled}  
    authentication={none|md5|sha1}
    encryption={none|des|3des|aes}
    encryption_key_length={0|128|192|256] (0=use default key length)
     sa_lifetime=60-2^32 (seconds)
     sa_lifetime_data=0-2^32) (kilobytes)

Display IKE/ISAKMP SA Phase 2 Options

See Show VPN IKE/ISAKMP SA Phase 2 options for tunnels.

Select the network interface used to communicate with the remote VPN device

set vpn interface [interface={eth0|mobile0}]
  [local_peer_id={fqdn|interface address|username|
  certificate dn}]

Display the network interface used to communicate with the remote VPN device

See Show the network interface used to communicate with the remote VPN device.

Options

VPN global options

set vpn global

Specifies that the set vpn command is for setting global VPN options.

antireplay={on|off}

Specifies whether the antireplay feature is on or off. Antireplay allows the IPsec tunnel receiver to detect and reject packets that have been replayed. It does this by adding information to the packets exchanged between VPN endpoints, to ensure that a third party cannot replay the same information to one of the VPN endpoints at a later time to recreate the secure channel again.

CAUTION! If you are using manually-keyed tunnels, disable this option.

For negotiations to succeed, both the local and remote sides of the connection must be set to the same value. Set this field to match that at the remote VPN gateway. The default is on.

suppress_phase1_lifetimes={on|off}

Specifies whether ISAKMP phase 1 lifetimes should be suppressed. Some VPN equipment does not negotiate the ISAKMP phase 1 lifetimes. This equipment may refuse to negotiate with this unit if it includes lifetime values in the phase 1 negotiation messages. Set this option to on to prevent the phase 1 lifetimes from being included in the ISAKMP phase 1 messages if this unit must communicate with this type of equipment. However, in most cases, this option should be set to off.

suppress_delete_sa_for_pfs={on|off}

Specifies whether delete notifications for any phase 2 security associations (SAs) are suppressed. In most cases this option should be set to off. VPN devices usually send a delete notification for any phase 2 SAs that are left over from previous sessions when they start to negotiate quick mode. However, some devices do not handle this notification correctly and will terminate the connection when they receive it. If you have trouble connecting to the remote VPN device, try setting this option to on to suppress sending this message.

send_natt_draft_01_id={on|off}

Use this option to control whether the unit should support draft 01 of the NAT-T protocol. This is an obsolete version of the protocol and support for it should only be enabled if the remote peer requires it

send_natt_draft_02_id={on|off}

Use this option to control whether the unit should support draft 02 of the NAT-T protocol. This is an obsolete version of the protocol and support for it should only be enabled if the remote peer requires it.

send_natt_draft_03_id={on|off}

Use this option to control whether the unit should support draft 03 of the NAT-T protocol. This is an obsolete version of the protocol and support for it should only be enabled if the remote peer requires it.

dynamic_dns={on|off}

Specifies whether the IP addresses of remote VPN peers may change on the fly, known as dynamic DNS. Set to on if you are specifying the address of the remote VPN device with a DNS name, and that device uses dynamic DNS because its public IP address can change. This causes the Digi device to poll the DNS server once a minute to see if the remote VPN device’s IP address has changed. The IPSec software will be restarted with the new IP address if it does change.

Setting this option to on increases network traffic, since the unit polls the DNS server once a minute.

This example demonstrates how to set the global configuration settings to enable anti-replay and dynamic DNS:

set vpn global antireplay=on
set vpn global suppress_phase1_lifetimes=off
set vpn global suppress_delete_sa_for_pfs=off
set vpn global send_natt_draft_01_id=off
set vpn global send_natt_draft_02_id=off
set vpn global send_natt_draft_03_id=off
set vpn global dynamic_dns=on

VPN tunnel configuration options

set vpn tunnel

Specifies that the set vpn command is for configuring a VPN tunnel.

options

The VPN tunnel configuration options. The set of options specified depends on whether the method of establishing the VPN tunnel is manually-keyed or ISAKMP.

tunnel=1-5 (for ConnectPort X products)
tunnel=1-2 (for Connect WAN products)

The index number for a new or existing VPN tunnel.

name=tunnel name

A name that describes the VPN tunnel. This may be used to help identify each tunnel with a descriptive and unique name.

newname=tunnel name

The new name for the VPN tunnel.

mode={disabled|manually-keyed|isakmp}

The method of establishing the VPN tunnel.

disabled

The VPN tunnel is enabled or disabled. Use this option when creating several tunnels, where only one would be used initially. In that case, you would add a disabled tunnel for future use and enable it on a subsequent set vpn command.

manually-keyed

You should only use this option if the remote peer does not support IKE/ISAKMP. The VPN tunnel is established by manually keying in VPN tunnel and security settings. These settings must match the settings of the remote VPN endpoint. Manually-keyed VPNs do not use IKE/ISAKMP. Manually-keyed VPN tunnels are less secure than tunnels secured with IKE/ISAKMP because the encryption keys never expire, and so the same encryption keys are always used.

isakmp

This is the preferred mode of operation. In this mode, a set of security policies which are used to negotiate a secure connection to the remote VPN peer. When the tunnel is brought up, IKE/ISAKMP is used to negotiate a fresh set of encryption keys. If the tunnel is used for a long time, then a new set of keys is renegotiated periodically. Since the keys are replaced every time the tunnel is brought up, and then periodically afterwards, it is much more secure.

autostart={disabled|enabled}

Specifies whether to negotiate the VPN tunnel as soon as the network interface used for it comes up. Set to enabled if the Digi device should establish the VPN tunnel as soon as the network interface selected is ready to use. Set to disabled if the Digi device should wait until a device on the local private network attempts to communicate with a device on the remote network before establishing the VPN tunnel.

host_mode={disabled|enabled}

This option determines whether the local side of the VPN tunnel will be visible to users on the remote peer. Enable host mode to hide the addresses of devices on the local side of the VPN tunnel from the remote side. In this case, devices on the remote side only sees a single IP address which you set with the host_address option below. Disable this option to allow the remote side to see the local subnet which is the local end of the VPN tunnel.

If this option is enable, the set nat command must be used to enable NAT on the VPN interface associated with this tunnel. The VPN interfaces listed by NAT are zero based, so VPN tunnel 1 is associated with interface VPN0, and so on. For more information, see set nat.

host_mode_security={disabled|enabled}

This is an optional feature that you can leave disabled. If this option is enabled it, IPSec discards any traffic from the local side of the VPN tunnel which is not from the subnet specified by the local_tunnel_addr, local_tunnel_mask, and local_tunnel_range options below.

host_address=ip address

Use this option to set the IP address visible to devices on the remote end of the VPN tunnel when host_mode is enabled.

interface={eth0|mobile0}

The network interface that is used as the local endpoint of the VPN tunnel. This interface communicates with the remote VPN peer. The identity set for this interface with the set vpn interface command is the one sent to the remote VPN peer during the ISAKMP negotiation.

eth0

Ethernet network interface.

mobile0

Mobile network interface a mobile0 device has a cellular modem. In most cases, this is the correct device to use to communicate with a remote VPN device on the Internet.

remote_peer_address={fqdn|ip address}

The IP address or hostname of the peer with which the VPN connection is established.

remote_tunnel_addr=ip address
remote_tunnel_mask=subnet mask
remote_tunnel_range=ip address-ip address

These options specify the range of IP addresses on the remote side of the tunnel. Traffic addressed to these IP addresses from the local side of the tunnel will be sent through the tunnel to the remote network. The remote VPN peer sends traffic from these addresses through the tunnel to the local side.

Digi devices support a mode of VPN tunnel operation called VPN tunnel all mode, where all traffic that is not directed to the local subnet is sent across a VPN tunnel to a remote network. This mode is different from the normal mode of VPN tunnel operation, where the range of the remote subnet is set explicitly. VPN tunnel all mode is supported when the Digi device is the initiator of the VPN connection. It is not supported when the Digi device is the server.

For example, in the normal mode of operation, a user might set up a VPN tunnel between the local subnet at 192.168.1.0/24 to a remote subnet at 172.16.1.0/24. In this case, the remote subnet range is the subnet at 172.16.1.x. In VPN tunnel all mode, the remote subnet is any address that is not on the local subnet, or in this case, anything not in the subnet 192.16.1.x.

The local subnet must be defined as a specific range, for example 192.168.1.0/24. This is specified in the VPN settings by setting the IP address of the local subnet to 192.168.1.0, and the subnet mask to 255.255.255.0. VPN tunnel all mode is specified by setting the remote IP address to 0.0.0.0, and the remote subnet mask to 0.0.0.0.

With the configuration described above, any frames sent from the 192.168.1.x network to any IP address not in the 192.168.1.x subnet will be set over the VPN tunnel to the remote subnet.

When configuring a Digi device for VPN tunnel all mode and the device allows for setting the gateway priority, set the gateway priority. The gateway priority is set by the set network gwpriority” option (see "set network" on page 288). Set gwpriority to eth0 for Ethernet-enabled Digi device, or to wln0 for wireless Digi devices.

If the Digi device’s IP address on the Ethernet (or wireless) interface is statically configured, specify the address for the gateway on that interface. The gateway IP address is set by the set network command.

local_tunnel_addr=ip address
local_tunnel_mask=subnet mask
local_tunnel_range=ip address-ip address

If host_mode is disabled, these options specify the range of IP addresses at the local side of the VPN tunnel. Traffic from devices in this range on the remote side of the tunnel will be tunneled to the other side of the tunnel. Devices at the remote side of the tunnel will be able to send frames to IP addresses within the subnet.

If host_mode and host_mode_security are both enabled, these options specify the range of IP addresses that are allowed to communicate with devices on the remote side of the tunnel.

manually-keyed options (mode=manually-keyed):

These options are for VPN manually-keyed VPN tunnels. To properly configure a manual-keyed tunnel, the following settings are required to be set as specified by the remote VPN server. This includes the local and remote network settings that handle the routing between the local and remote peers. It also includes the security settings for both incoming and outgoing traffic, which may be different from each other, depending on the implementation of the remote VPN server. Incoming or inbound traffic is defined as any traffic sent from a remote peer on the remote network of the remote VPN endpoint to a local peer on the local network. Outgoing or outbound traffic is defined as any traffic sent from a local peer to a remote peer.

inbound_spi=256-2^32

The Security Parameter Index (SPI) for inbound traffic. The SPI defines the unique index for a tunnel used to identify the security settings for IPSec. The SPI is a 32-bit unsigned value that must not be less than 256.

inbound_authentication={none|md5|sha1}

The optional authentication algorithm, used with the associated authentication key specified by the inbound_auth_key option, to authorize access on the VPN tunnel for inbound traffic.

none

No authentication algorithm is used.

md5

MD5 authentication algorithm, which uses 128-bit keys.

sha1

SHA1 authentication algorithm, which uses 160-bit keys.

inbound_auth_key={ascii key|hex key}

The authentication key for inbound traffic, according to the authentication algorithm specified by the inbound_authentication option. The authentication key may be specified as an ASCII value using alpha-numeric characters or may be specified as a hexadecimal value prefixed by 0x. The following table lists the associated lengths of the authentication keys based on the authentication algorithm.

Algorithm

Size

 Key Length

ASCII

Hexadecimal

MD5

128-bit

16

32

SHA1

160-bit

20

40

inbound_encryption={none|des|3des|aes}

The optional encryption algorithm used with the associated encryption key specified by the inbound_enc_key option to encrypt data on the VPN tunnel for inbound traffic.

none

No encryption algorithm is used.

des

DES encryption algorithm, which uses 64-bit keys.

3des

3DES encryption algorithm, which uses 192-bit keys.

aes

AES encryption algorithm, which uses 128-bit keys.

inbound_enc_key={ascii key|hex key}

The encryption key for inbound traffic, according to the authentication algorithm specified by the inbound_encryption option. The encryption key may be specified as an ASCII value using alpha-numeric characters or may be specified as a hexadecimal value prefixed by 0x. The following table lists the associated lengths of the encryption keys based on the encryption algorithm.

Algorithm

Size

Key Length

ASCII

Hexadecimal

DES

64-bit

8

16

3 DES

192-bit

24

48

AES

128-bit

16

32

outbound_spi=256 - 2^32

The SPI for outbound traffic.The SPI defines the unique index for a tunnel used to identify the security settings for IPSec. The SPI is a 32-bit unsigned value that must not be less than 256.

outbound_authentication={none|md5|sha1}

The optional authentication algorithm used with the associated authentication key specified by the outbound_auth_key option to authorize access on the VPN tunnel for outbound traffic.

none

No authentication algorithm is used.

md5

MD5 authentication algorithm, which uses 128-bit keys.

sha1

SHA1 authentication algorithm, which uses 160-bit keys.

outbound_auth_key={ascii key|hex key}

The authentication key for outbound traffic, according to the authentication algorithm specified by the outbound_authentication option. The authentication key may be specified as an ASCII value using alpha-numeric characters or may be specified as a hexadecimal value prefixed by 0x. For the allowed lengths for this key, see inbound_auth_key.

outbound_encryption={none|des|3des|aes}

The optional encryption algorithm used with the associated encryption key specified by the outbound_enc_key option to encrypt data on the VPN tunnel for outbound traffic. For the allowed values, see inbound_encryption.

outbound_enc_key={ascii key|hex key}

The encryption key for outbound traffic, according to the authentication algorithm specified by the outbound_encryption option. For the allowed values and key length, see inbound_enc_key.

isakmp options (mode=isakmp)

To configure an ISAKMP tunnel, you must configure the settings to match those on the remote VPN server.

To specify security proposals for VPN ISAKAMP tunnels, see Set IKE/ISAKMP SA Phase 1 Options.

remote_peer_id={fqdn|ip address | username}

The IP address or hostname of the peer with which the VPN connection is established.

shared_key={ascii key|hex key}

A key that secures the VPN tunnel. The key can be either an ASCII value using alphanumeric characters or a hexadecimal value prefixed by 0x.

aggressive_mode={enabled|disabled}

Enables or disables aggressive mode for negotiating Internet Key Exchange (IKE) Phase One using Internet Security Association and Key Management Protocol (ISAKMP). Negotiations establish security settings and a secure channel for subsequent messages. For the negotiations to progress, both sides must be configured identically. Aggressive mode processes Phase One negotiations using fewer exchanges than Main Mode processing. In the first exchange, almost everything is sent in the proposed IKE values, including the Diffie-Hellman key, nonce to sign and verify, and the identity. The weakness of using Aggressive Mode compared to Main Mode is that negotiations exchange information before the secure channel is created. However, because fewer exchanges are used, aggressive mode is faster than main mode. Aggressive mode may be required when a peer gateway IP address is dynamic.

If aggressive_mode is disabled, Main Mode processing is used.

natt_enable={disabled|enabled}

Set this option to enabled if there is a firewall between the two VPN peers. Enabling this option will cause the unit to negotiate a NAT Traversal connection which maintains the VPN tunnel through firewalls. Both VPN peers need to be configured the same way.

Enabling this option generates additional traffic.

natt_ka_interval=5-255

Use this option to set the NAT-T keep alive interval. The interval is specified in seconds and determines how often the unit will send NAT keep alive frames to prevent the NAT firewall from timing out the connection. This value should be set to less than half the of the timeout value used by the NAT firewall.

pfs={enabled|disabled}

Specifies whether the Perfect Forward Secrecy (PFS) method is on or off. PFS is a method of deriving session keys from known keying material. PFS establishes greater resistance to cryptographic attacks by ensuring that a given key of an IKE SA is not derived from any other secret, and that no other key can be derived from this key.

For negotiations to succeed, both the local and remote sides of the connection must have the pfs and dh_group options set to the same values.

The default is on.

dh_group_phase2={1|2|5|14}

The Diffie-Hellman (DH) prime modulus group. Diffie-Hellman is a public-key cryptography protocol for establishing a shared secret over an insecure communications channel. Diffie-Hellman is used with IKE to establish the session keys that create a secure channel. This setting is used if Perfect Forward Secrecy is also enabled (pfs=on.)

Digi Cellular Family products support the following Diffie-Hellman prime modulus groups:

1

Group 1 (768-bit).

2

Group 2 (1024-bit).

5

Group 5 (1536-bit).

14

Group 14 (2048-bit).

The default is 2 (Group 2).

About IKE/ISAKMP SA Phase 1 and Phase 2 options

Internet Key Exchange (IKE) negotiates the IPSec security associations (SA). This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP (IKE) shared keys. The SAs are relationships between two or more entities or peers that describe how the entities or peers uses security services to communicate securely.

IKE negotiations are handled using two different phases.

IKE/ISAKMP SA Phase 1 options

The options below allow you to specify the phase 1 proposals which are used during the first phase of the ISAKMP negotiation. Each proposal specifies a set of security parameters which are to be used to create the phase 1 connect. When the phase 1 negotiation takes place, the local and remote VPN peers compare their lists of phase 1 policies and select the strongest one they both have in common. The settings in the selected policy are used to create the phase 1 connection.

set vpn phase1

Specifies that the set vpn command is for configuring a VPN Phase 1 options.

options

tunnel=1-5

The index number assigned to the VPN tunnel.

name=tunnel name

The name of the VPN tunnel.

proposal=1-2

The index number assigned to the security proposal.

state={enabled|disabled}

Whether the phase 1 proposal is enabled or disabled.

auth_method={shared_key|dsa_sig|rsa_sig}

The authentication method performed.

shared_key

Authentication is performed by using a key that secures the VPN tunnel, where the key is either an ASCII alphanumeric value or a hexadecimal value.

dsa_sig

Authentication is performed using a DSA certificate that has been uploaded to the Digi device.

rsa_sig

Authentication is performed using an RSA certificate that has been uploaded to the Digi device.

For more information on certificate management and uploading certificates, see certmgmt.

authentication={md5|sha1}

The authentication algorithm used in IKE negotiations to authenticate the IKE peers and Security Associations (SAs).

md5

MD5 authentication algorithm, which uses 128-bit keys.

sha1

SHA1 authentication algorithm, which uses 160-bit keys.

encryption={des|3des|aes}

The encryption algorithm used in IKE negotiations for encrypting data.

des

DES encryption algorithm, which uses 64-bit keys.

3des

3DES encryption algorithm, which uses 192-bit keys.

aes

AES encryption algorithm, which uses 128-bit keys.

encryption_size={0|128|192|256} (bits)

The encryption key length, in bits, used in IKE negotiations for encrypting data. The key length is based on the encryption algorithm and is used to calculate and create the shared key.

sa_lifetime=10-2^32 (seconds)

Determines how long an Security Association (SA) policy is active, in seconds. After the IKE SA has been negotiated, the SA lifetime begins. Once the lifetime has completed, a new set of SA policies are negotiated using IKE phase 2 negotiation.

sa_lifetime_data=0-2^32 (kilobytes)

The amount of data, in bytes or kilobytes, sent and received until the SA is renegotiated. This value is analogous to the SA lifetime. Also known as SA life size.

diffie_hellman_group={1|2|5|14}

The Diffie-Hellman (DH) prime modulus group. Diffie-Hellman is a public-key cryptography protocol for establishing a shared secret over an insecure communications channel. Diffie-Hellman is used with IKE to establish the session keys that create a secure channel. This setting is used if Perfect Forward Secrecy is also enabled (pfs=on.)

Digi Cellular Family products support the following Diffie-Hellman prime modulus groups:

1

Group 1 (768-bit).

2

Group 2 (1024-bit).

5

Group 5 (1536-bit).

14

Group 14 (2048-bit).

The default is 2 (Group 2).

IKE/ISAKMP SA Phase 2 options

Security policies define the set of security settings for incoming and outgoing traffic used to encrypt and authorize data. One or more sets of settings may be specified. When the phase 2 connection is negotiated, the local and remote VPN peers compare their list of policies and select the most secure one they both have in common.

The VPN Phase 2 options are used to configure a set of security policies for ISAKMP tunnels. The settings define the set of encryption and authentication algorithms used for incoming and outgoing traffic over the VPN tunnel.

A security policy can have multiple proposals. For example, a policy can have two proposals to allow older VPN devices to connect using less-secure methods, while allowing the same policy to have a second (or more) proposal to allow newer, more powerful end-points to use more secure methods.

set vpn phase2

Specifies that the set vpn command is for configuring a VPN Phase 2 options.

options

tunnel=1-5

The index number assigned to the VPN tunnel.

name=tunnel name

The name of the VPN tunnel.

proposal=(1- 8)

The index number assigned to the security proposal.

state={enabled|disabled}

Whether the VPN tunnel is enabled or disabled. You can use this option when creating several tunnels where only one would be used initially. In that case, you would add a disabled tunnel for future use and enable it on a subsequent set vpn command.

authentication={none|md5|sha1}

The authentication algorithm used in authenticating clients.

none

This option is used for debugging purposes only. It is not secure and most VPN devices will not accept it.

md5

MD5 authentication, which uses 128-bit keys.

sha1

SHA1 authentication, which uses 160-bit keys.

encryption={none|des|3des|aes}

The encryption algorithm used for encrypting data. AES is generally considered to be more secure than DES, and longer keys are more secure than shorter keys. However, using longer keys may reduce throughput.

none

This option is used for debugging purposes only. It is not secure and most VPN devices will not accept it.

des

DES encryption, which uses 64-bit keys.

3des

3-DES encryption, which uses 192-bit keys.

aes

AES encryption, which uses either 128-bit, 192-bit, or 256-bit keys depending on the negotiated security settings.

encryption_key_length={0|128|192|256] (0=use default key length)

The encryption key length for AES. Set this option to 0 when using DES or 3DES to select the default key lengths. Set this option to the desired key length when using AES. Longer keys are more secure, but may reduce throughput.

sa_lifetime=60-2^32 (seconds)

Determines how long a Security Association (SA) policy is active, in seconds. After the SA has been negotiated, the SA lifetime begins. Once the lifetime has completed, a new set of SA policies are negotiated with the remote VPN endpoint. Shorter lifetimes are more secure since the encryption keys are replaced more often, however, data transfer will be paused a couple seconds every time a key negotiation takes place.

sa_lifetime_data=0-2^32) (kilobytes)

The amount of data, in bytes or kilobytes, that is sent and received until the SA is renegotiated. This value is analogous to the SA lifetime. Also known as SA life size.

VPN network interface options

These options set the local identity used for the ISAKMP negotiation. The unit must identify itself to the remote VPN peer during the ISAKMP negotiation. The identity can be a Fully Qualified Domain Name (FQDN), the IP address of the interface used for the negotiation, a username, or a public key certificate. The identity is associated with the network interface used to communicate with the remote VPN peer.

Use the set vpn interface command to set the identity for the network interface.

Syntax

set vpn interface [interface={eth0|mobile0}]
  [local_peer_id={fqdn|interface address|username|
  certificate dn}]

Options

interface={eth0|mobile0}

The network interface used to communicate with the remote VPN device.

eth0

Ethernet network interface.

mobile0

Mobile network interface (in most units this is the cellular modem). In most cases, this is the correct device to use to communicate with a remote VPN device on the Internet.

local_peer_id={fqdn|interface address|username|certificate dn}

Sets the identity associated with the network interface. This identity is passed to the remote VPN peer during the ISAKMP negotiation. This option must be set to match the configuration of the remote peer identity on the remote VPN peer.

Examples

Set global parameters

The following example demonstrates how to set global parameters. Antireplay and dynamic DNS support are turned on. The other global options are turned off.

#> set vpn global antireplay=on
#> set vpn global suppress_phase1_lifetimes=off
#> set vpn global suppress_delete_sa_for_pfs=off
#> set vpn global send_natt_draft_01_id=off
#> set vpn global send_natt_draft_02_id=off
#> set vpn global send_natt_draft_03_id=off
#> set vpn global dynamic_dns=on
#> show vpn global
 Global VPN Configuration :

    antireplay                  : on
    suppress_phase1_lifetimes   : off
    suppress_delete_sa_for_pfs  : off
    send_natt_draft_01_id       : off
    send_natt_draft_02_id       : off
    send_natt_draft_03_id       : off
    dynamic_dns                 : on

Set peer IDs

The following example demonstrates how to set the peer ID for the mobile0 interface to use the IP address currently assigned to that interface:

#> set vpn interface interface=mobile0 local_peer_id=Interface-Address
#> show vpn interface
VPN Interface Configuration :

    Interface    Local Peer Name
    ==========   =============================================
    eth0       : 00:30:9D:01:01:FE@digi.com
    mobile0    : Interface-Address

The following example demonstrates how to set the peer ID for the mobile0 interface to the FQDN localpeer.digi1.com:

#> set vpn interface interface=mobile0 local_peer_id=localpeer.digi1.com
#> show vpn interface
 VPN Interface Configuration :

    Interface    Local Peer Name
    ==========   =============================================
    eth0       : 00:30:9D:01:01:FE@digi.com
    mobile0    : localpeer.digi1.com

Configure a VPN tunnel

The following example demonstrates how to configure a VPN tunnel.

ISAKMP is used to negotiate the connection over the cell modem interface to a remote peer with the identifier FQDN remotepeer.digi1.com.

  1. Since the mobile0 interface was selected by an earlier command, our identifier will be the one assigned to the mobile0 interface through the set vpn interface command.
#> set vpn tunnel tunnel=1 mode=isakmp interface=mobile0 remote_peer_id=remotepeer.digi1.com
  1. Set up the tunnerlas soon as the interface becomes available:
#> set vpn tunnel tunnel=1 autostart=enabled
  1. Set up a standard subnet to subnet tunnel:
#> set vpn tunnel tunnel=1 host_mode=disabled
  1. The remote VPN device is at the DNS address remotepeer.digi1.com:
#> set vpn tunnel tunnel=1 remote_peer_address=remotepeer.digi1.com
  1. Set the subnet at the remote end of the tunnel:
#> set vpn tunnel tunnel=1 remote_tunnel_addr=192.168.1.0 remote_tunnel_mask=255.255.255.0
  1. Set the subnet at the local end of the tunnel:
#> set vpn tunnel tunnel=1 local_tunnel_addr=172.16.1.0 local_tunnel_mask=255.255.255.0
  1. Set the shared key used for authentication:
#> set vpn tunnel tunnel=1 shared_key=TheSharedKey0123456789
  1. Enable aggressive mode:
#> set vpn tunnel tunnel=1 aggressive_mode=enabled
  1. Enable NAT-T in case there is a NAT firewall between the two VPN peers:
#> set vpn tunnel tunnel=1 natt_enable=enabled
  1. Set the NAT-T keep alive interval to 20 seconds:
#> set vpn tunnel tunnel=1 natt_ka_interval=20
  1. Enable Perfect Forward Secrecy:
#> set vpn tunnel tunnel=1 pfs=enabled
  1. Use Diffie-Hellman group 2 for the phase 2 PFS negotiation:
#> set vpn tunnel tunnel=1 dh_group_phase2=2
  1. Disable proposal 1 while we set it up so we do not get error messages:
#> set vpn phase1 tunnel=1 proposal=1 state=disabled
  1. Use a shared key to authenticate with the remote peer:
#> set vpn phase1 tunnel=1 proposal=1 auth_method=shared_key
  1. Use MD5 to authenticate individual frames:
#> set vpn phase1 tunnel=1 proposal=1 authentication=md5
  1. Use Triple DES to encrypt phase 1 frames:
#> set vpn phase1 tunnel=1 proposal=1 encryption=3des
  1. Use the default key size for triple DES:
#> set vpn phase1 tunnel=1 proposal=1 encryption_size=0
  1. Renegotiate the phase 1 SA at least once every 8 hours:
#> set vpn phase1 tunnel=1 proposal=1 sa_lifetime=28800
  1. Renegotiate the phase 1 SA whenever 50 Megabytes of data have been sent across it:
#> set vpn phase1 tunnel=1 proposal=1 sa_lifetime_data=50000
  1. Use Diffie-Hellman group 2 for phase 1 PFS:
#> set vpn phase1 tunnel=1 proposal=1 diffie_hellman_group=2
  1. Now this proposal can be enabled:
#> set vpn phase1 tunnel=1 proposal=1 state=enabled
  1. Disable the phase 2 proposal so it can be configured:
#> set vpn phase2 tunnel=1 proposal=1 state=disabled
  1. Use MD5 to authenticate frames:
#> set vpn phase2 tunnel=1 proposal=1 authentication=md5
  1. Use triple DES to encrypt data:
#> set vpn phase2 tunnel=1 proposal=1 encryption=3des
  1. Use the default key size:
#> set vpn phase2 tunnel=1 proposal=1 encryption_key_length=0
  1. Renegotiate keys at least once every 8 hours:
#> set vpn phase2 tunnel=1 proposal=1 sa_lifetime=28800
  1. Renegotiate keys whenever 50 Megabytes of data have been transferred:
#> set vpn phase2 tunnel=1 proposal=1 sa_lifetime_data=50000
  1. Now that the proposal is set up, enable it:
#> set vpn phase2 tunnel=1 proposal=1 state=enabled
  1. Print out the tunnel configuration:
#> show vpn tunnel tunnel=1 verbose=on
VPN Tunnel #1 Configuration :
General Settings :

       name                : Tunnel 1
       mode                : isakmp
       autostart           : enabled
       host mode           : disabled
       remote peer address : remotepeer.digi1.com
       remote peer ID      : remotepeer.digi1.com
       interface           : mobile0
       local peer ID       : localpeer.digi1.com
Tunnel Settings :

       remote side         : ipv4subnet 192.168.1.0 - 255.255.255.0
       local side          : ipv4subnet 172.16.1.0 - 255.255.255.0

 ISAKMP Settings:

        Client              : enabled
        Server              : enabled
        NAT Traversal       : enabled
        NAT-T KA Interval   : 20
        Aggressive mode     : enabled
        PFS                 : enabled
        Phase 1 DH Group    : set in each phase 1 proposal
        Phase 2 DH Group    : 2 (1024-bit)

    ISAKMP Phase 1 Settings:
       index#  encryption/size  authentication
       ------  ---------------  --------------
       1       3des/0           md5
    Phase 2 Settings :

       index#  state     encryption  authentication
       ------  --------  ----------  --------------
       1       enabled   3des        md5
       2       disabled  des         md5
       3       disabled  des         md5
       4       disabled  des         md5
       5       disabled  des         md5
       6       disabled  des         md5
       7       disabled  des         md5
       8       disabled  des         md5

Configure a more complex VPN tunnel

This example is more complex. This script sets up a second tunnel to connect to a different VPN peer with the IP address 166.65.20.35. The remote uses the FQDN anotherpeer.digi1.com as its identifier. Two proposals are set up for both phase 1 and for phase 2. The phase 1 proposals both use the SHA1 authentication hash. One proposal supports triple DES, the other 256-bit AES. Both phase 2 proposals specify MD5 authentication and AES encryption. One proposal specifies 256-bit keys, the other 128-bit keys.

#> set vpn tunnel tunnel=2 mode=isakmp interface=mobile0 remote_peer_id=anotherpeer.digi1.com
#> set vpn tunnel tunnel=2 autostart=enabled
#> set vpn tunnel tunnel=2 host_mode=disabled
#> set vpn tunnel tunnel=2 remote_peer_address=166.65.20.35
#> set vpn tunnel tunnel=2 remote_tunnel_addr=192.168.10.0 remote_tunnel_mask=255.255.255.0
#> set vpn tunnel tunnel=2 local_tunnel_addr=172.16.1.0 local_tunnel_mask=255.255.255.0
#> set vpn tunnel tunnel=2 aggressive_mode=disabled
#> set vpn tunnel tunnel=2 natt_enable=enabled
#> set vpn tunnel tunnel=2 natt_ka_interval=20
#> set vpn tunnel tunnel=2 pfs=enabled
#> set vpn tunnel tunnel=2 dh_group_phase2=2
#> set vpn phase1 tunnel=2 proposal=1 state=disabled
#> set vpn phase1 tunnel=2 proposal=1 auth_method=shared_key
#> set vpn phase1 tunnel=2 proposal=1 authentication=sha1
#> set vpn phase1 tunnel=2 proposal=1 encryption=3des
#> set vpn phase1 tunnel=2 proposal=1 encryption_size=0
#> set vpn phase1 tunnel=2 proposal=1 sa_lifetime=28800
#> set vpn phase1 tunnel=2 proposal=1 sa_lifetime_data=50000
#> set vpn phase1 tunnel=2 proposal=1 diffie_hellman_group=2
#> set vpn phase1 tunnel=2 proposal=1 state=enabled
#> set vpn phase1 tunnel=2 proposal=2 state=disabled
#> set vpn phase1 tunnel=2 proposal=2 auth_method=shared_key
#> set vpn phase1 tunnel=2 proposal=2 authentication=sha1
#> set vpn phase1 tunnel=2 proposal=2 encryption=AES
#> set vpn phase1 tunnel=2 proposal=2 encryption_size=256
#> set vpn phase1 tunnel=2 proposal=2 sa_lifetime=28800
#> set vpn phase1 tunnel=2 proposal=2 sa_lifetime_data=50000
#> set vpn phase1 tunnel=2 proposal=2 diffie_hellman_group=2
#> set vpn phase1 tunnel=2 proposal=2 state=enabled
#> set vpn phase2 tunnel=2 proposal=1 state=disabled
#> set vpn phase2 tunnel=2 proposal=1 authentication=md5
#> set vpn phase2 tunnel=2 proposal=1 encryption=AES
#> set vpn phase2 tunnel=2 proposal=1 encryption_key_length=128
#> set vpn phase2 tunnel=2 proposal=1 sa_lifetime=28800
#> set vpn phase2 tunnel=2 proposal=1 sa_lifetime_data=50000
#> set vpn phase2 tunnel=2 proposal=1 state=enabled
#> set vpn phase2 tunnel=2 proposal=2 state=disabled
#> set vpn phase2 tunnel=2 proposal=2 authentication=md5
#> set vpn phase2 tunnel=2 proposal=2 encryption=AES
#> set vpn phase2 tunnel=2 proposal=2 encryption_key_length=256
#> set vpn phase2 tunnel=2 proposal=2 sa_lifetime=28800
#> set vpn phase2 tunnel=2 proposal=2 sa_lifetime_data=50000
#> set vpn phase2 tunnel=2 proposal=2 state=enabled
#> show vpn tunnel tunnel=2 verbose=on
 VPN Tunnel #2 Configuration :

    General Settings :

       name                : Tunnel 2
       mode                : isakmp
       autostart           : enabled
       host mode           : disabled
       remote peer address : 166.65.20.35
       remote peer ID      : anotherpeer.digi1.com
       interface           : mobile0
       local peer ID       : localpeer.digi1.com

    Tunnel Settings :

       remote side         : ipv4subnet 192.168.10.0 - 255.255.255.0
       local side          : ipv4subnet 172.16.1.0 - 255.255.255.0


    ISAKMP Settings:

        Client              : enabled
        Server              : enabled
        NAT Traversal       : enabled
        NAT-T KA Interval   : 20
        Aggressive mode     : disabled
        PFS                 : enabled
        Phase 1 DH Group    : set in each phase 1 proposal
        Phase 2 DH Group    : 2 (1024-bit)

    ISAKMP Phase 1 Settings:

       index#  encryption/size  authentication
       ------  ---------------  --------------
       1       3des/0           sha1
       2       aes/256          sha1

    Phase 2 Settings :

       index#  state     encryption  authentication
       ------  --------  ----------  --------------
       1       enabled   aes         md5
       2       enabled   aes         md5
       3       disabled  des         md5
       4       disabled  des         md5
       5       disabled  des         md5
       6       disabled  des         md5
       7       disabled  des         md5
       8       disabled  des         md5

Configure a VPN tunnel with RSA certificate authentication and host mode

This example demonstrates how to set up a third tunnel to authenticate using an RSA certificate, and how to configure host mode. The VPN interface created for host mode is given the IP address 50.1.1.1. This is the address which is visible to devices on the remote side of the tunnel. Host mode security is turned on and configured to only allow devices in the 172.16.1.0 local subnet to communicate over the host mode connection. The NAT firewall will also have to be configured to support host mode.

In addition to the entering the configuration commands below, you would have to send updates for the appropriate RSA certificates to the Digi device. 

#> set vpn tunnel tunnel=3 mode=isakmp interface=mobile0 
remote_peer_id=Certificate-DN
#> set vpn tunnel tunnel=3 autostart=enabled
#> set vpn tunnel tunnel=3 host_mode=enabled host_address=50.1.1.1
#> set vpn tunnel tunnel=3 host_mode_security=enabled
#> set vpn tunnel tunnel=3 remote_peer_address=57.42.65.21
#> set vpn tunnel tunnel=3 remote_tunnel_addr=192.168.20.0 remote_tunnel_mask=255.255.255.0
#> set vpn tunnel tunnel=3 local_tunnel_addr=172.16.1.0 local_tunnel_mask=255.255.255.0
#> set vpn tunnel tunnel=3 aggressive_mode=disabled
#> set vpn tunnel tunnel=3 natt_enable=enabled
#> set vpn tunnel tunnel=3 natt_ka_interval=20
#> set vpn tunnel tunnel=3 pfs=enabled
#> set vpn tunnel tunnel=3 dh_group_phase2=2
#> set vpn phase1 tunnel=3 proposal=1 state=disabled
#> set vpn phase1 tunnel=3 proposal=1 auth_method=rsa_sig
#> set vpn phase1 tunnel=3 proposal=1 authentication=sha1
#> set vpn phase1 tunnel=3 proposal=1 encryption=3des
#> set vpn phase1 tunnel=3 proposal=1 encryption_size=0
#> set vpn phase1 tunnel=3 proposal=1 sa_lifetime=28800
#> set vpn phase1 tunnel=3 proposal=1 sa_lifetime_data=50000
#> set vpn phase1 tunnel=3 proposal=1 diffie_hellman_group=2
#> set vpn phase1 tunnel=3 proposal=1 state=enabled
#> set vpn phase2 tunnel=3 proposal=1 state=disabled
#> set vpn phase2 tunnel=3 proposal=1 authentication=md5
#> set vpn phase2 tunnel=3 proposal=1 encryption=AES
#> set vpn phase2 tunnel=3 proposal=1 encryption_key_length=128
#> set vpn phase2 tunnel=3 proposal=1 sa_lifetime=28800
#> set vpn phase2 tunnel=3 proposal=1 sa_lifetime_data=50000
#> set vpn phase2 tunnel=3 proposal=1 state=enabled
#> show vpn tunnel tunnel=3 verbose=on
 VPN Tunnel #3 Configuration :

    General Settings :

       name                : Tunnel 3
       mode                : isakmp
       autostart           : enabled
       host mode           : enabled
       host mode security  : enabled
       remote peer address : 57.42.65.21
       remote peer ID      : Certificate-DN
       interface           : mobile0
       local peer ID       : localpeer.digi1.com

    Tunnel Settings :

       remote side         : ipv4subnet 192.168.20.0 - 255.255.255.0
       local side          : host address 50.1.1.1
           restricted to   : ipv4subnet 172.16.1.0 - 255.255.255.0


    ISAKMP Settings:

        Client              : enabled
        Server              : enabled
        NAT Traversal       : enabled
        NAT-T KA Interval   : 20
        Aggressive mode     : disabled
        PFS                 : enabled
        Phase 1 DH Group    : set in each phase 1 proposal
        Phase 2 DH Group    : 2 (1024-bit)

    ISAKMP Phase 1 Settings:

       index#  encryption/size  authentication
       ------  ---------------  --------------
       1       3des/0           sha1

    Phase 2 Settings :

       index#  state     encryption  authentication
       ------  --------  ----------  --------------
       1       enabled   aes         md5
       2       disabled  des         md5
       3       disabled  des         md5
       4       disabled  des         md5
       5       disabled  des         md5
       6       disabled  des         md5
       7       disabled  des         md5
       8       disabled  des         md5

See also