Confi gure > ipsec > ipsec egroups > egroup n 4.49 – Westermo MR Series User Manual

150

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > IPSec > IPSec Egroups > Egroup n

4.49

This mode of operation can be used when the Westermo is terminating tunnels to a large number
of remote devices e.g when being used as a VPN Concentrator. To keep the size of the configura-
tion file in the Westermo box small and also to maintain ease of configuration, only the information
that is used for all tunnels is stored on the Westermo box. All information that is site specific is
stored in a MySQL database. This means the number of sites that can be configured is limited only
by the SQL database size and performance. This will be literally millions of sites depending upon the
operating system and hardware of the MySQL PC. The number of sites that can be connected to
concurrently is much smaller and limited by the Westermo model.

Basic Concept

The unit with the Egroup/MySQL configuration will be the VPN Concentrator. The remote sites
will normally not require an Egroup configuration as they will normally only need to connect to a
single peer, the VPN Concentrator. The VPN Concentrator will normally need only a single Eroute
configured. The local and remote subnet parameters need to be set up wide enough to encompass
all the local and remote networks. The VPN Concentrator can act as an initiator and/or a responder.
In situations where there are more remote sites than the unit can support concurrent sessions, it
will normally be necessary for the Concentrator and the remote sites to be both an initiator and
a responder. This is so that both the remote sites and the head-end can initiate the IPSEC session
when required. Note that it is also important to configure the Eroutes to time out on inactivity to
free up sessions for other sites. In the case of the VPN Concentrator acting as an initiator, when it
receives a packet that matches the main Eroute, if no Security Associations already exist it will look
up the required parameters in the database. The unit will then create a ”Dynamic Eroute” contain-
ing all the settings from the base eroute and all the information retrieved from the database. At this
point IKE will create the tunnel (IPSEC Security associations) as normal. The dynamic eroute will
continue to exist until all the IPSEC Security Associates have been removed. At the point where the
number of dynamic eroutes free is within 10% of the maximum supported in the platform (MR and
DR model) the oldest Dynamic Eroutes (those that have not been used for the longest period of
time) and their associated IPSEC Security Associations will be dropped until the number of dynamic
eroutes free is above 10% of the total.

Logic fl ow - creation of IPSec SAs
Concentrator acting as initiator.

The concentrator will normally act as an initiator when it receives an IP packet for routing with a
source address matching the Eroute Local subnet address & mask and a destination address match-
ing the Remote subnet address & mask. (Provided than an IPSEC SA does not already exist for this
site.)

If an egroup is configured to use the matching eroute, the unit will use a MySQL query to obtain
the site specific information in order to create the SA’s. The concentrator will create a SELECT
query using the destination IP address of the packet and the mask configured in the egroup con-
figuration to determine the remote subnet address. (This means that the remote subnet mask must
be the same on all sites using the current egroup.) Once the site specific information has been
retrieved, the unit creates a ’dynamic’ eroute which is based upon the base eroute configuration
plus the site specific information from the MySQL database.The router can then use the completed
eroute configuration and IKE will be used to create the IPsec SAs. For the pre-shared key, IKE will
use the password returned from the MySQL database rather than doing a local look up in the user
configuration. Once created, the SAs are linked with the dynamic eroute. Replacement SAs are cre-
ated as the lifetimes start to get low and traffic is still flowing. When all SAs to this remote router
are removed, the dynamic eroute will also be removed so that eroute can then be re-used to create
tunnels to other remote sites. When processing outgoing packets, dynamic eroutes are searched
before base eroutes. So, if a matching dynamic eroute is found, it is used, and the base eroute is only
matched if no dynamic eroute exists. Once the dynamic eroute is removed, further outgoing packets
will match the base eroute and the process is repeated.