Digi Digi Connect WAN, Application Manual

Page: 2 / 3

Digi Connect Application Guide - Primary Connections
HQ Router / VPN Appliance Configuration: The HQ appliance’s tunnel policy peer
address will be the Connect WAN’s Mobile IP address. For this reason a static mobile IP
address is preferred on the Digi Connect WAN.
IPsec forwarding : Digi Connect WAN firmware revision D introduced IPsec forwarding
where IPsec ESP tunnel-mode traffic can be forwarded to a specific Ethernet IP address.
Current firmware is available via
http://www.digi.com/support .
Console Port : As a side benefit, the Digi Connect WAN console port can configured for
“Console Management” to provide SSH or telnet access. It can be cabled to the router or
VPN appliance’s console port to provide true diverse out-of-band console access.
Digi Connect Typical WAN Configuration
1. Read and follow the quick-start guide for the Digi Connect WAN and optionally for
Digi Connectware® Manager if used.
2. Assign a static IP address to the Ethernet port. Note the default gateway may show or
change to an address such as 10.6.6.6. This is normal as it is the GSM provider’s
network default gateway.
3. Configure Forwarding via Network > IP Forwarding Settings:
a. For GRE: Enable GRE protocol forwarding and enter the IP address of the
router’s WAN Ethernet port (the router attached to the Digi Connect WAN).
b. For IPsec ESP forwarding: Enable IPsec ESP forwarding and enter the IP
address of the router’s WAN Ethernet port (attached to the Digi Connect
WAN)
c. For NAT-T: Create two UDP port forwarding entries for Ports 500 and 4500*
(both source and destination ports) and enter the IP address of the router’s
WAN Ethernet port (the router attached to the Digi Connect WAN).
ƒ
*Some appliances may use ports other than 4500. Check the router
documentation for acceptable UDP port numbers. Note also that the Digi
Connect WAN can use different ports for source and destination. If the
HQ router uses port 10000, but the remote router uses 4500, for example,
create a port forwarding entry for source of 10000 and destination of 4500.
d. Press APPLY to accept the changes
4. Optionally configure IP filtering and TCP services to block any unwanted incoming
connections.
Example NAT-T (IPsec in UDP) Setup
Refer to the diagram above using these IP addresses:
Remote site router 192.168.0.2
Digi Connect WAN Ethernet port 192.168.0.1
Digi Connect WAN Ethernet link 166.123.123.123
The HQ router will use the mobile IP address of the Digi Connect WAN (in this case
166.123.321.123) as its tunnel peer address.
7/18/2005 Digi International 2 of 3