Manuals / Digi / Computer Equipment / Network Router

Digi 90000566_H manual Identity=fqdnuser fqdnip address

Models: 90000566_H

1 278
Download 278 pages 26.72 Kb
Page 231
Image 231

set vpn

Options

Global VPN options

 

set vpn global

 

Specifies that the “set vpn” command is for setting global VPN options.

 

mode={mainaggressive}

 

The method used to negotiate Internet Key Exchange (IKE) Phase One

 

using Internet Security Association and Key Management Protocol

 

(ISAKMP). Negotiations establish security settings and a secure channel

 

for subsequent messages. For the negotiations to progress, both sides

 

must be configured identically.

 

main

 

Main mode processes Phase One negotiations using three two-way

 

exchanges between the VPN client and remote VPN endpoint. The

 

exchanges are meant to match IKE Security Associations (SA)

 

between peers to provide a protected pipe for subsequent protected

 

ISAKMP exchanges between the peers. The first exchange negotiates

 

and agrees upon algorithms and hashes/keys used to secure the IKE

 

communications. The second exchange uses a Diffie-Hellman

 

exchange, per the specified Diffie-Hellman group, to generate nonces

 

and shared secret keys to sign and prove identities. The third

 

exchange verifies the identity per the specified Identity.

 

aggressive

 

Aggressive mode processes Phase One negotiations using fewer

 

exchanges than Main Mode processing. In the first exchange, almost

 

everything is sent in the proposed IKE values, including the Diffie-

 

Hellman key, nonce to sign and verify, and the identity. The weakness

 

of using Aggressive Mode compared to Main Mode is that negotiations

 

exchange information before the secure channel is created. However,

 

because fewer exchanges are used, aggressive mode is faster than

 

main mode. Aggressive mode may be required when a peer gateway

 

IP address is dynamic.

 

The default is “main.”

 

identity={fqdnuser fqdnip address}

 

Specifies how the VPN client is identified to the remote VPN endpoint.

 

The identity must match the value provided by the remote VPN endpoint

 

to properly identify this client and its respective security settings. This

 

option assumes the use of pre-shared key and is used to identify the pre-

 

shared key. This option can be specified in three ways:

 

identity=fqdn

 

Identity is specified as a Fully Qualified Domain Name (FQDN),

 

usually the FQDN of the Digi Connect device in the form of an Internet

 

hostname, for example www.myhost.com or remote3.digi.com.

 

identity=user fqdn

 

Identity is specified as a User Fully Qualified Name (UFQN, or User

 

FQDN). A User FQDN is similar to standard FQDN, but with a user

 

name. The format is the same as an email address, for example,

 

user@myhost.com or remote3@digi.com. This is the default

 

representation used by Digi devices, because it can easily be added

 

to authentication systems.

Chapter 2 Command Descriptions

231

Page 230 Page 232
Page 231
Image 231
Digi 90000566_H manual Identity=fqdnuser fqdnip address
Page 230 Page 232