VPN access with IPsec tunnels

Goal

To build an IPSec tunnel through the Digi 63xx WAN internet connection and use the IPSec tunnel to access endpoints inside a VPN.

Setup

For this setup, the 63xx must have an active WAN internet connection (cellular or Ethernet).

You will also need to know the IPSec credentials and settings needed to build a tunnel to the IPSec endpoint.

Note The 63xx series of devices support building IPSec tunnels to the following endpoints:

  • SonicWall routers
  • strongswan IPSec servers
  • OpenVPN IPSec servers
  • other 63xx series devices.

See Site-to-site VPN access with two 63xx series devices for an example.

Sample

The sample configuration below shows a 6350-SR building a tunnel to a VPN server at 12.13.14.15 through it's cellular modem. The client laptop connected to the LAN Ethernet port of the 6350-SR can then use that IPSec tunnel to access any IP address in the 10.255.0.0/16 range behind the IPSec server. Any traffic not destined for 10.255.0.0/16 will instead go through the cellular modem straight to the Internet.

Sample Configuration

Open the configuration profile for the router. Under IPSec, create a new entry titled Tunnel, and add your IPSec settings to the new entry. The following settings reflect the sample setup in the diagram above.

  1. Enter the PSK into the Pre-shared key.
  2. (optional) In XAUTH client, check the Enable box and enter in the account, username, and password.
  3. Check the Enable MODECFG client box.
  4. Change Local endpoint -> ID -> ID type to KeyID.
  5. Set the local ID in Local endpoint -> ID -> KEYID ID Value.
  6. (optional) Set Local endpoint -> type to Interface, and set Local endpoint -> Interface to Modem. This configures the 63xx-series device to only build the tunnel through the cellular modem WAN interface. Leaving Local endpoint -> type to Interface as Default route will allow the tunnel to be built through any available WAN interface.
  7. Change Remote endpoint -> ID -> ID type to IPv4.
  8. Set the IP address of the IPSec server in Remote endpoint -> Hostname and Remote endpoint -> ID -> IPv4 ID Value. In the example, 12.13.14.15.
  9. Set IKE -> Mode to Aggressive mode.
  10. Set IKE -> Phase 1 Proposals and IKE -> Phase 2 Proposals to match the IKE settings required by the IPSec server. In this example, both proposals are set to AES128, SHA1, MOD768.

Under Policies, click Add to create a new policy, and enter the following settings:

  1. Set Policy -> Local network -> Type to Request a network.
  2. Set Policy -> Remote network to the IPv4 network you wish to access through the tunnel. In the sample, 10.255.0.0/16.
  3. (alternative) If you would instead like to have all outbound traffic go through this tunnel, set Policy -> Remote network to 0.0.0.0/0.