Nortel Networks 620, 608(WL) manual Chapter

Chapter 3

Configuration via Local Pages

Primary Untrusted This field shows a list of your SpeedTouch™ interfaces. You select the preferred Physical Interface Primary Untrusted Physical Interface. This interface is used as the primary carrier

for your VPN connection. In general, the primary untrusted interface is your DSL connection to the public Internet. On the DSL line, various logical connections can be defined, eventually using different protocol stacks (IpoA, PPPoE, PPPoA,…). The peer entity has to be tied to the correct IP connection.

In the SpeedTouch™ the routing engine determines which interface is used for the VPN connection (your DSL connection to the Internet in most cases). So, what is the relevance to select a physical interface?

First of all, for incoming VPN connections where your SpeedTouch™ is the responder in the IKE negotiations, the interface is part of the matching process for accepting the connection. Selecting the default value any has the effect of removing this matching criterion. If you select a specific interface as Primary Untrusted Physical Interface, then a new incoming VPN connection on a backup interface is not accepted.

Secondly, if your SpeedTouch™ is equipped with a backup physical interface, for example an ISDN backup interface, then this field determines the preferred interface for your VPN connection. This interface is used whenever it is available. When this interface fails, the active VPN connections are re-routed via the backup interface. When the primary interface becomes available again, the VPN connections are re-routed to the primary interface. On the other hand, when you select any as the Primary Untrusted Physical Interface and this interface fails, the active VPN connections are also re-routed to the backup interface. But when the DSL connection becomes available again, the VPN connections are not re-routed as long as the backup connection is available.

The IPSec peer can also be tied to the LAN interface (eth0). This could be useful to set up a secure connection with a local host within the local LAN for testing purposes, or when a redundant gateway to the public Internet, other than the SpeedTouch™, is present in the LAN.

Exchange mode Select the exchange mode used during the Phase 1 negotiation. The SpeedTouch™ supports both main mode and aggressive mode.

Authentication Select from the list the symbolic name of the applicable Authentication Attribute. Either pre-shared key or certificates can be used for authentication. Authentication Attributes are defined on the Authentication sub-page. See “3.5.2 Authentication Page” on page 82.

Peer Descriptor Select from the list the symbolic name of a Peer Security Descriptor to be used for the IKE negotiation. Up to four Descriptors can be selected in the Profiles page. These Descriptors are presented as alternative proposals during the IKE negotiations. Peer Security Descriptors are managed on the Peer Descriptors sub- page. See “3.5.3 Peer Descriptors Page” on page 83.

Client/Server This optional parameter refers to a dialup VPN Client/Server descriptor. Client/ Server parameters are managed on separate sub-pages. See “3.5.5 VPN-Client Page” on page 86 for the VPN client configuration. See “3.5.6 VPN-Server Page” on page 88 for the VPN server configuration.