VPN access with IPsec tunnels
Goal
To build an IPSec tunnel through the Digi 63xx WAN internet connection and use the IPSec tunnel to access endpoints inside a VPN.
Setup
For this setup, the 63xx must have an active WAN internet connection (cellular or Ethernet).
You will also need to know the IPSec credentials and settings needed to build a tunnel to the IPSec endpoint.
Note The 63xx series of devices support building IPSec tunnels to the following endpoints:
- SonicWall routers
- strongswan IPSec servers
- OpenVPN IPSec servers
- other 63xx series devices.
See Site-to-site VPN access with two 63xx series devices for an example.
Sample
The sample configuration below shows a 6350-SR building a tunnel to a VPN server at 12.13.14.15 through it's cellular modem. The client laptop connected to the LAN Ethernet port of the 6350-SR can then use that IPSec tunnel to access any IP address in the 10.255.0.0/16 range behind the IPSec server. Any traffic not destined for 10.255.0.0/16 will instead go through the cellular modem straight to the Internet.
Sample Configuration
Open the configuration profile for the router. Under IPSec, create a new entry titled Tunnel, and add your IPSec settings to the new entry. The following settings reflect the sample setup in the diagram above.
- Enter the PSK into the Pre-shared key.
- (optional) In XAUTH client, check the Enable box and enter in the account, username, and password.
- Check the Enable MODECFG client box.
- Change Local endpoint -> ID -> ID type to KeyID.
- Set the local ID in Local endpoint -> ID -> KEYID ID Value.
- (optional) Set Local endpoint -> type to Interface, and set Local endpoint -> Interface to Modem. This configures the 63xx-series device to only build the tunnel through the cellular modem WAN interface. Leaving Local endpoint -> type to Interface as Default route will allow the tunnel to be built through any available WAN interface.
- Change Remote endpoint -> ID -> ID type to IPv4.
- Set the IP address of the IPSec server in Remote endpoint -> Hostname and Remote endpoint -> ID -> IPv4 ID Value. In the example, 12.13.14.15.
- Set IKE -> Mode to Aggressive mode.
- Set IKE -> Phase 1 Proposals and IKE -> Phase 2 Proposals to match the IKE settings required by the IPSec server. In this example, both proposals are set to AES128, SHA1, MOD768.
Under Policies, click Add to create a new policy, and enter the following settings:
- Set Policy -> Local network -> Type to Request a network.
- Set Policy -> Remote network to the IPv4 network you wish to access through the tunnel. In the sample, 10.255.0.0/16.
(alternative) If you would instead like to have all outbound traffic go through this tunnel, set Policy -> Remote network to 0.0.0.0/0.