Physical interface [phyif, Peer descriptor [descr, Authentication attribute [auth – Nortel Networks 608(WL) User Manual

Chapter 4

Configuration via the Command Line Interface

E-DOC-CTC-20051017-0169 v0.1

122

Physical Interface [phyif]

You can tie the peer to one of your SpeedTouch™ interfaces. This interface is then
used as the primary carrier for your VPN connection. In general, the primary
untrusted interface is your DSL connection to the public Internet. On the DSL line,
various logical connections can be defined, eventually using different protocol
stacks (IpoA, PPPoE, PPPoA,…). The peer entity has to be tied to the correct IP
connection.

In the SpeedTouch™ the routing engine determines which interface is used for the
VPN connection (your DSL connection to the Internet in most cases). So, what is the
relevance to select a physical interface?

First of all, for incoming VPN connections where your SpeedTouch™ is the
responder in the IKE negotiations, the interface is part of the matching process for
accepting the connection. Selecting the default value any has the effect of removing
this matching criterion. If you select a specific interface as Primary Untrusted
Physical Interface, then a

new

incoming VPN connection on a

backup

interface

is

not accepted.

Secondly, if your SpeedTouch™ is equipped with a backup physical interface, for
example an ISDN backup interface, then this field determines the

preferred

interface for your VPN connection. This interface is used whenever it is available.
When this interface fails, the active VPN connections are re-routed via the backup
interface. When the primary interface becomes available again, the VPN
connections are re-routed to the primary interface. On the other hand, when you
select any as the Primary Untrusted Physical Interface and this interface fails, the
active VPN connections are also re-routed to the backup interface. But when the
DSL connection becomes available again, the VPN connections are not re-routed as
long as the backup connection is available.

Peer descriptor [descr]

This parameter refers to the symbolic name of the Peer Security Descriptor to be
used for the IKE negotiation. Pre-defined as well as user-defined peer descriptors
can be referred to.

Authentication Attribute

[auth]

This parameter refers to the symbolic name of the applicable Authentication
Attribute. Either pre-shared key or certificates can be used for authentication. For
pre-shared key authentication, the pre-shared key value is part of this parameter. In
this document only pre-shared key authentication is considered.

client/server

This optional parameter refers to a dialup VPN client/server descriptor. Client/server
connections are handled in chapter

6

as an advanced configuration.

options

This parameter refers to the symbolic name of an option list. This option list
contains a number of options that modify the VPN behaviour. The options are
handled in chapter

6

, discussing the advanced features. For a basic IPSec

configuration, no option list is selected.

The IPSec peer can also be tied to the LAN interface (eth0). This could be
useful to set up a secure connection with a local host within the local LAN
for testing purposes, or when a redundant gateway to the public Internet,
other than the SpeedTouch™, is present in the LAN.