Site-to-site VPN access with two 63xx series devices
Goal
To build an IPSec tunnel through the Digi 6350-SR/6355-SR cellular WAN Internet connection to another Digi 6350-SR/6355-SR and use the tunnel to access endpoints inside a VPN.
Setup
For this setup, you need:
- Two Digi 6350-SR/6355-SRs (main site and remote site) running firmware version 17.5.108.6 or higher. Both must have an active WAN Internet connection.
- Main site Digi 6350-SR/6355-SR must have a publicly reachable IP address so the remote Digi 6350-SR/6355-SR can reach the IP and build a tunnel.
- IPSec credentials and settings needed to build a tunnel between the Digi 6350-SR/6355-SRs.
Note If you are configuring a 6300-CX for Site-to-Site VPN Access, the device must be in router mode.
Sample
The sample configuration below shows a 6300-CX building a tunnel to a 6350-SR through its cellular modem. The client laptop connected to the LAN Ethernet port of the 6300-CX can then use that IPSec tunnel to access any IP address in the 172.20.1.1/24 range behind the 6350-SR. Any traffic not destined for 172.20.1.1/24 will instead go through the cellular modem straight to the Internet.
This tunnel will also allow the client laptop connected to the LAN 4 port of the 6350-SR to access any IP address in the 172.21.1.1/24 range behind the 6300-CX. Any traffic not destined for 172.20.1.1/24 will instead go through the Ethernet WAN of the 6350-SR straight to the Internet.
Both the 6350-SR and 6300-CX will need to be configured with a new IPSec tunnel, using matching authentication settings, in order for the 6300-CX to build the tunnel to the 6350-SR. Sample configuration settings for both devices are listed below.
Note Additional 63xx series routers can build IPSec tunnels to this 6350-SR. Each 63xx series router will need a unique local address range (for example, 172.21.2.1/24 or 172.21.100.1/24) so the various remote sites do not conflict with each other. Also, the remote network and NAT settings of the main site's 6350-SR will need to be expanded to account for the additional ranges (for example, 172.21.1.1/16).
Be sure a value greater than 0 is specified for the local address ranges' fourth octet (for example, X.X.X.1/24 is valid—X.X.X.0/24 is not valid).
6350-SR Sample Configuration
Open the configuration profile for the 6350-SR. Under IPSec, create a new entry titled N6300 and add your IPSec settings to the new entry. The following settings reflect the sample setup in the diagram above.
- Enter the PSK into the Pre-shared key.
- Change Local endpoint -> ID -> ID type to Raw
- Set the local ID in Local endpoint -> ID -> Raw ID Value, for example, @nps.
- Set Local endpoint -> type to Interface,and set Local endpoint -> Interface to WAN, or whichever interface you want to allow the inbound tunnel to connect through.
- Change Remote endpoint -> ID -> ID type to Raw
- Set the remote ID in Remote endpoint -> ID -> Raw ID Value, for example, @6300.
- Set the Remote endpoint -> Hostname to any. This allows the 6300-CX to have any IP address. If you know the public IP address of the 6350-CX and want to lock down the 6350-SR's settings so it only allows inbound tunnels from that IP, input the 6300-CX's public IP address here.
- Set IKE -> Mode to Aggressive mode.
- Uncheck the IKE -> Initiate connection option.
- Set IKE -> Phase 1 Proposals and IKE -> Phase 2 Proposals. In this example, both proposals are set to 3DES, SHA1, MODP1024.
- Under NAT, add a destination that corresponds to the local address range of the remote device. (In this example, 172.21.1.1/24.)
- Under Policies, click Add to create a new policy, and enter the following settings:
- Configure the firewall. Under Firewall, click Packet Filtering
Ensure Allow all outgoing traffic item exists and enabled.
- Depending on your network configuration, you may need to add a packet filtering rule to allow incoming traffic. For example, for the IPsec zone:
- Click to expand Firewall > Packet filtering.
- For Add packet filter, click .
- For Label, type Allow incoming IPsec traffic.
- For Source zone, select IPsec.
Leave all other fields at their default settings.
Set Policy -> Local network -> Type to Custom network.
Set Policy -> Local network -> Custom network to the IPv4 network you wish to have on the LAN side of the 6300-CX. In the sample, 172.20.1.1/24.
Set Policy -> Remote network to the IPv4 network you wish to access through the tunnel. In the sample, 172.21.1.1/24.
6300-CX Sample Configuration
Open the configuration profile for the 6350-SR. Under IPSec, create a new entry titled NPS and add your IPSec settings to the new entry. The following settings reflect the sample setup in the diagram above.
- Enter the PSK into the Pre-shared key.
- Change Local endpoint -> ID -> ID type to Raw.
- Set the local ID in Local endpoint -> ID -> Raw ID Value, for example, @6300.
- (optional) Set Local endpoint -> type to Interface, and set Local endpoint -> Interface to Modem. This configures the 63xx-series router to only build the tunnel through the cellular modem WAN interface. Leaving Local endpoint -> type to Interface as Default route will allow the tunnel to be built through any available WAN interface.
- Change Remote endpoint -> ID -> ID type to Raw.
- Set the remote ID in Remote endpoint -> ID -> Raw ID Value, for example, @nps.
- Set the Remote endpoint -> Hostname to the public IP address of the 6350-SR's WAN Ethernet.
- Set IKE -> Mode to Aggressive mode.
- Set IKE -> Phase 1 Proposals and IKE -> Phase 2 Proposals to match the IKE settings required by the 6350-SR. In this example, both proposals are set to 3DES, SHA1, MODP1024.
Under Policies, click Add to create a new policy, and enter the following settings:
- Set Policy -> Local network -> Type to Custom network.
- Set Policy -> Local network -> Custom network to the IPv4 network you wish to have on the LAN side of the 6300-CX. In the sample, 172.21.1.0/24.
- Set Policy -> Remote network to the IPv4 network you wish to access through the tunnel. In the sample, 172.20.1.0/24.