Nortel Networks 620, 608(WL) manual 122

Chapter 4

Configuration via the Command Line Interface

Physical Interface [phyif] You can tie the peer to one of your SpeedTouch™ interfaces. This interface is then used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet. On the DSL line, various logical connections can be defined, eventually using different protocol stacks (IpoA, PPPoE, PPPoA,…). The peer entity has to be tied to the correct IP connection.

In the SpeedTouch™ the routing engine determines which interface is used for the VPN connection (your DSL connection to the Internet in most cases). So, what is the relevance to select a physical interface?

First of all, for incoming VPN connections where your SpeedTouch™ is the responder in the IKE negotiations, the interface is part of the matching process for accepting the connection. Selecting the default value any has the effect of removing this matching criterion. If you select a specific interface as Primary Untrusted Physical Interface, then a new incoming VPN connection on a backup interface is not accepted.

Secondly, if your SpeedTouch™ is equipped with a backup physical interface, for example an ISDN backup interface, then this field determines the preferred interface for your VPN connection. This interface is used whenever it is available. When this interface fails, the active VPN connections are re-routed via the backup interface. When the primary interface becomes available again, the VPN connections are re-routed to the primary interface. On the other hand, when you select any as the Primary Untrusted Physical Interface and this interface fails, the active VPN connections are also re-routed to the backup interface. But when the DSL connection becomes available again, the VPN connections are not re-routed as long as the backup connection is available.

The IPSec peer can also be tied to the LAN interface (eth0). This could be useful to set up a secure connection with a local host within the local LAN for testing purposes, or when a redundant gateway to the public Internet, other than the SpeedTouch™, is present in the LAN.

Peer descriptor [descr] This parameter refers to the symbolic name of the Peer Security Descriptor to be used for the IKE negotiation. Pre-defined as well as user-defined peer descriptors can be referred to.

Authentication Attribute This parameter refers to the symbolic name of the applicable Authentication [auth] Attribute. Either pre-shared key or certificates can be used for authentication. For

pre-shared key authentication, the pre-shared key value is part of this parameter. In this document only pre-shared key authentication is considered.

client/server This optional parameter refers to a dialup VPN client/server descriptor. Client/server connections are handled in chapter 6 as an advanced configuration.

options This parameter refers to the symbolic name of an option list. This option list contains a number of options that modify the VPN behaviour. The options are handled in chapter 6, discussing the advanced features. For a basic IPSec configuration, no option list is selected.