Digi Connect® WAN Application Guide
Primary Connections via NAT-T, IPsec ESP or GRE
Scenario
Digi Connect WAN is used for primary remote site connectivity. IPsec VPN or GRE
traffic is terminated by routers or VPN appliance at each end. The Digi Connect WAN
passes
this traffic through.
Theory of Operation
The router’s Ethernet WAN port attaches to the Ethernet port of the Digi Connect WAN,
typically via an Ethernet crossover cable.
The wireless carrier provides only one IP address to the mobile interface. The Digi
Connect WAN uses Network Address Translation (NAT) where only the mobile IP
address is visible to the outside. All outgoing traffic uses the mobile IP address of the
Digi Connect WAN.
Since NAT changes IPsec headers, devices that support GRE, IPsec ESP or NAT-T
(IPsec-in-UDP) “tunneling” at each end of the connection are usually required.
For incoming data, the Digi Connect WAN forwards IP traffic destined for GRE or IPsec
ESP protocol, TCP/UDP port or port range from the cellular IP interface to a private IP
address on the Digi Connect WAN’s Ethernet port.
Sample Diagram
:
Wireless
Network
Digi
Connect
WAN
Internet or
Frame Relay
GRE Tunnel / IPSec ESP / IPSec in UDP
Router/VPN
Router/VPN
Remote Site
LA
N
LA
N
HQ
Router/VPN
WAN Port
192.168.0.2
Connect WAN
Ethernet Port
192.168.0.1
Connect WAN
Mobile IP
166.123.123.123
Router/VPN
LAN Port
10.10.10.1
GSM GPRS/EDGE APN Type needed
: Typically a
Custom APN
is required since the
VPN end-points must use usually have static (persistent) IP addresses. An Internet APN
may work if the main site (HQ) VPN appliance can support Dynamic DNS names.
Remote Site Router Requirements:
Any router that supports
GRE, IPsec ESP
or
NAT-T
(or uses IPsec-in-UDP) should work.
Remote Site Router / VPN Appliance Configuration:
Router default gateway: Digi Connect WAN’s Ethernet port IP address
Policy to use ESP, GRE or NAT-T tunneling; or just GRE if no encryption is required
7/18/2005
Digi International
1 of 3
