Westermo MR Series User Manual

Page 151

background image

151

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Concentrator acting as a responder to a session initiated from the remote site.

When a remote site needs to create an IPSEC SA with the concentrator it will send an IKE request
to the concentrator. The concentrator needs to be able to confirm that the remote device is
authorised to create an IPSec tunnel. The remote site will supply its ID to the host during the IKE
negotiations. The concentrator will use this ID and look through the eroutes configured and dynam-
ic eroutes to see if the supplied ID matches the configured Peer ID (peerid). If a match is found, the
MYSQL database is queried to retrieve the information required to complete the negotiation (e.g.
pre-shared key/ password). If no matching base eroute is found, the local user configuration is used
to locate the password, and a normally configured eroute must also exist. Once the information is
retrieved from the MySQL database, IKE negotiations continue and the created IPsec SAs will be
associated with the dynamic eroute. As long as the dynamic eroute exists, it behaves just like a nor-
mal eroute. i.e. SAs are replaced/removed as required.

If errors are received from the MySQL database, or not enough fields are returned, the dynamic
eroutes are removed, and IKE negotiations in progress will be terminated. There are a limited
number of dynamic eroutes. If the number of free dynamic eroutes is less than 10% of the total
number of dynamic eroutes, the Westermo router will periodically remove the oldest dynamic
eroutes. This is done to ensure that there will always be some free dynamic eroutes available for
incoming connections from remote routers. It is possible to view the current dynamic tunnels that
exist using the WEB server, browse to Status > IPSec > Dynamic Tunnels. The table will indicate
the base eroute and the Remote Peer ID in the status display to help identify which remote sites
are currently connected.

Preliminary Eroute confi guration:

The eroute configuration Configure > IPSec > Eroutes > Eroute n differs from a normal configu-
ration in the following ways:

Peer IP/hostname: Because the peer IP address to each peer is unknown and is retrieved from
the database, this field is left empty.

Bakpeerip (CLI only): Because the peer IP address to each peer is unknown and is retrieved
from the database, this field is left empty.

Peer ID: When the host unit is acting as a responder during IKE negotiations, the router uses
the ID supplied by the remote to decide whether or not the MySQL database should be inter-
rogated. So that the unit can make this decision, the remote router must supply an ID that
matches the peerid configured into the eroute. Wildcard matching is supported which means
that the peerid may contain ’*’ and ’?’ characters. If only one eroute is configured, the peerid
field may contain a ’*’, indicating that all remote IDs result in a MySQL look up.

Local subnet IP address / Local subnet mask: Configured as usual.

Remote subnet IP address / Remote subnet mask: These fields should be configured in such a
way that packets to ALL remote sites fall within the configured subnet. e.g. if there are two sites
with remote subnets 192.168.0.0/24, and 192.168.1.0/24 respectively, a valid configuration for
the host would be 192.168.0.0/23 so that packets to both remote sites match.

All other fields should be configured as usual. It is possible to set up other Egroups linked with
other eroutes. This would be done if there is a second group of remote sites that have a differ-
ent set of local and remote subnets, or perhaps different encryption requirements. The only real
requirement is that this second group uses peer IDs that do not match up with those in use by the
first egroup.

This manual is related to the following products: