Manuals / Digi / Computer Equipment / Network Router

Digi 90000566_H manual Identity=ip-address, Dhgroup=125, Pfs=onoff

Models: 90000566_H

1 278
Download 278 pages 26.72 Kb
Page 232
Image 232

set vpn

identity=ip-address

Identity is specified as the Digi device’s IP address. Using this method, you can specify either of the following:

The Network Address (IPv4): A standard IP address (version 4). that uses the standard IPv4 dotted format (four numeric values between 0 and 255 separated by periods). For example: 10.0.0.1

The Mobile IP address as the identity: This means that the IP address of your mobile network interface will automatically be used as the VPN identity.

The IP-address method is the easiest for system administrators to use, because it is both familiar and should be unique. However, it is not always the best choice. The IP address may be for the device, unless special arrangements are made with the cellular carrier. This presents a difficult configuration issue, unless a large subnet of addresses are defined to use a single pre-shared key.

The default identify form is “macaddress@digi.com.”

dh_group={125}

The Diffie-Hellman (DH) prime modulus group. Diffie-Hellman is a public- key cryptography protocol for establishing a shared secret over an insecure communications channel. Diffie-Hellman is used with IKE to establish the session keys that create a secure channel. This setting is used if Perfect Forward Secrecy is also enabled (“pfs=on.”)

Digi Cellular Family products support the following Diffie-Hellman prime modulus groups:

dh_group=1 Group 1 (768-bit).

dh_group=2 Group 2 (1024-bit).

dh_group=5 Group 5 (1536-bit).

The default is 2 (Group 2).

pfs={onoff}]

Specifies whether the Perfect Forward Secrecy (PFS) method is on or off. PFS is a method of deriving session keys from known keying material. PFS establishes greater resistance to cryptographic attacks by ensuring that a given key of an IKE SA is not derived from any other secret, and that no other key can be derived from this key.

For negotiations to succeed, both the local and remote sides of the connection must have the “pfs” and “dh_group” options set to the same values.

The default is “on.”

232

Chapter 2 Command Descriptions

Page 231 Page 233
Page 232
Image 232
Digi 90000566_H manual Identity=ip-address, Dhgroup=125, Pfs=onoff
Page 231 Page 233