Digi TransPort

Quick Note 53 Ethernet to W-WAN failover with logicalEthernet interface.Digi SupportAugust 20151Introduction ............................................................................................................................................... 2 1.1 Introduction ....................................................................................................................................... 2 1.2 Assumptions ...................................................................................................................................... 3 1.3 Corrections . (3)2 Version .......................................................................................................................................................3 3TransPort Configuration ............................................................................................................................ 4 3.1 Ethernet 0 Configuration ................................................................................................................... 4 3.2 Ethernet 2 (Logical) Configuration..................................................................................................... 6 3.3 Mobile Interface Configuration ......................................................................................................... 7 3.4 Default Route 0 Configuration ........................................................................................................... 9 3.5 Default Route 1 Configuration ......................................................................................................... 10 3.6Firewall Configuration (11)4 Testing (13)1.1 IntroductionThis document will describe a WAN to Ethernet failover scenario with single Ethernet port Digi TransPort routers such as the WR11, WR21, WR41 using a logical Ethernet port to allow LAN access to devices while the failover is in place. This document is an addition / alternative to: AN41. In this scenario, when the primary default route (Ethernet) will be Out of Service, access to resources on the LAN will still be accessible using the logical Ethernet interface.Digi TransPort WR21ETH 0IP: 192.168.1.23Mask: 255.255.255.0GW: 192.168.1.254ETH 2 (Logical)IP: 192.168.1.24Mask: 255.255.255.0In the standard failover scenario, if the LAN Host needs to access the Router’s interface while ETH 0 is Out Of Service, it will not be possible. Using a logical Ethernet interface on the same subnet will allow that while maintaining the failover.1.2AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi TransPort router and configure it with basic routing functionsThis application note applies to:Model: DIGI TransPort WR11/21/41/44Firmware versions: 5246 and laterConfiguration: This document assumes that the devices are set to their factory default configurations. Most configuration commands are shown only if they differ from the factory default.Please note: This application note has been specifically rewritten for firmware release 5246 and later but will work on earlier versions of firmware. Please contact ********************* if your require assistance in upgrading the firmware of the TransPort router.1.3CorrectionsRequests for corrections or amendments to this application note are welcome and should be addressed to: ********************* Requests for new application notes can be sent to the same address.3.1Ethernet 0 ConfigurationConfiguration - Network > Interfaces > Ethernet > ETH 0DescriptionPlease note:It is possible to use “Get an IP address automatically using DHCP” if the primary WAN connection uses dynamic IP addressing and the router/modem acts as a DHCP server.Configuration - Network > Interfaces > Ethernet > ETH 0 > AdvancedEnable NAT and configure the WAN interface for auto ping tests (in this case Google’s DNS server) Click Apply3.2Ethernet 2 (Logical) ConfigurationPlease Note:The logical Ethernet Interface number will vary depending on the device being used. (WR44 will start at 12 for example)Configuration - Network > Interfaces > Ethernet > Logical Ethernet Interfaces > ETH 2Configuration - Network > Interfaces > Ethernet > Logical Ethernet Interfaces > ETH 2 > AdvancedLink the Logical Ethernet Interface with ETH 0.3.3Mobile Interface ConfigurationConfigure the mobile interface according to the SIM card used.Configuration - Network > Interfaces > Mobile > Mobile SettingsDescriptionConfiguration - Network > Interfaces > Advanced > PPP 1 > AdvancedSet the default route to Ethernet 0 and deactivate the mobile interface (PPP 1) whenever this route is in service.Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 0Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 0 > AdvancedDescriptionThis default route will use PPP 1 and will be configured as an on demand interface. This will stop the router from sending unnecessary traffic to test the interface connectivity when the interface is not in service. In case of data bandwidth being limited or charged, this will keep transferred data on the wireless WAN link to a minimum.Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 1Configuration - Network > IP Routing/Forwarding > Static Routes > Default Route 1 > Advanced3.6Firewall ConfigurationThe firewall rules needed for this application are very simple.There are only three rules to add:The first rule will enable the monitoring of the ICMP traffic exiting the Ethernet 0 interface. If the ICMP traffic fails then this interface will be taken out of service and the recovery ping process will verify when the test host is responding to test traffic again.The second rule will enable the monitoring of the ICMP traffic exiting the PPP 1 interface. If the traffic fails then this interface will be taken out of service, the PPP interface is deactivated then re-activated in attempt to get the PPP connection working again. If this rule is activated there will be a short interruption to service whilst a working network connection is established.The default firewall rule set included in a production device will by default allow all outgoing traffic and restrict incoming traffic. You may want to filter more traffic than this using the extensive capabilities of the Digi TransPort firewall – please see the Digi TransPort User Guide for more details on what the firewall can do for you. The manual is available from the Digi website at /support/Please Note:This example will not use any of the default firewall rules.Configuration - Security > FirewallUsing the Digi TransPort web GUI, click on “insert” and type/paste in this rule (all on one line):pass out break end on Eth 0 proto icmp from addr-Eth 0 to 8.8.8.8icmp-type echo inspect-state oos 10 t=3 c=3 d=3 r=ping,3,3Click “OK” to add the ruleClick the “Insert” button on the line below the new Eth 0 rule, type/paste in this rule:pass out break end on ppp 1 proto icmp from addr-ppp 1 to 8.8.8.8 icmp-type echo inspect-state oos 10 t=5 c=3 d=3Click “OK” to add the rule.Click the “Insert” button on the line below the new PPP 1 rule, type/paste in this rule:pass break endClick “OK” to add the rule.Click “Save” button, to write the firewall rules to the fw.txt file on the router’s FLASH.The firewall configuration should look like this:Scroll down to the Firewall configuration page to the Interface list and tick the boxes to enable the firewall on ETH 0 and PPP 1:Click the “Apply” butt on to enable the firewall on those two interfaces.Please note: The IP address that is used in this demo for sending test pings to is not guaranteed to reply (Google DNS) so you should choose an IP address within your ISP’s or a public IP address that you own and have control of.When ETH 0 will go Out Of Service due to loss of communication (ping failure) the default route will be the PPP 1 interface. It will however still be possible for the host to reach any devices on the LAN such as the gateway/router.Event log showing the Default Route 0 (ETH 0) going Out Of Service :05:01:49, 02 Jan 2000,Default Route 0 Out Of Service,Firewall05:01:49, 02 Jan 2000,ETH 0 Out Of Service,Firewall04:54:58, 02 Jan 2000,Default Route 1 Available,ActivationTesting a ping shows the default route going through PPP 1 :Command: ping 8.8.8.8Command resultPinging Addr [8.8.8.8]sent PING # 1PING receipt # 1 : response time 0.18 secondsIface: PPP 1Ping StatisticsSent : 1Received : 1Success : 100 %Average RTT : 0.18 secondsOKChecking the routing table shows ETH 0 Out Of Service and ETH 2 UP with the same destination subnet as ETH 0Command: route printCommand resultDestination Gateway Metric Protocol Idx Interface Status ------------------------------------------------------------------------------ 90.122.9.106/32 90.122.9.106 1 Local - PPP 1 UP192.168.1.0/24 192.168.1.24 1 Local - ETH 2 UP192.168.1.0/24 192.168.1.23 - Local - ETH 0 OOS0.0.0.0/0 90.122.9.106 3 Static 1 PPP 1 UP0.0.0.0/0 192.168.1.254 - Static 0 ETH 0 OOS OKTest ping on the LAN side (Router) show packets going through the Logical Ethernet Interface: Command: ping 192.168.1.254Command resultPinging Addr [192.168.1.254]sent PING # 1PING receipt # 1 : response time 0.00 secondsIface: ETH 2Ping StatisticsSent : 1Received : 1Success : 100 %Average RTT : 0.00 secondsOK。

Quick Note 18 Configuring a Digi TransPort router to accept CLI commands via SMSUK SupportNovember 20151Introduction (3)1.1Outline (3)1.2Assumptions (3)1.3Version (3)2Configuration (4)2.1Obtain the phone number of the router’s SIM (4)2.2SMS Configuration (5)2.3Configuration - Network > Interfaces > Mobile (5)3Example scenario (8)4Monitoring (9)5Configuring SMS administration from the Command line (10)Page | 21.1OutlineThis document contains configuration instructions for allowing a Digi TransPort router with cellular access to accept CLI commands via SMS.To be able to accept an SMS, the router only needs GSM access to the mobile network. Even if the router has lost its GPRS/3G connection, it will normally still be contactable via SMS, assuming the mobile network cell station is still providing GSM coverage.1.2AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product, and of the requirements for their specific application.Configuration: This application note assumes that the router will be connecting to a cellular network. This application note applies to;Models shown: Digi Transport WR41 router with Option 3G module.Other Compatible Models: All Digi Transport products with a cellular module.Firmware versions: 4.694 and above.Configuration: This Application Note assumes the devices are set to factory default configurations. Most configuration commands are only shown if they differ from the factory default.1.3VersionPage | 32.1Obtain the phone number of the router’s SIMBefore an SMS message can be sent to the router the phone number assigned to its SIM needs to be known.Browse to:Administration - Execute a commandAnd enter the command to send a message to the mobile phoneThe syntax is as follows:Sendsms <phonenumber> “message”Where <phonenumber> is the mobile phone number.NOTE: Th e “message” must be in quotes ““A second option is to send the message from the from the command lineThe mobile phone will receive the “test message” and its number will be displayed.It’s now possible to send commands to the router with this number as its destinationPage | 42.2SMS ConfigurationAll cellular TransPort routers have the ability to be configured by SMS. To configure a TransPort cellular router to accept CLI commands via SMS the following configuration will be required.Browse to:2.3Configuration - Network > Interfaces > MobileAnd make the following changesPage | 5Click ApplyIMPORTANT:1.Make sure to click “Add” after configuring a phone number and then click Apply.2.Make sure to replace the leading zero in the phone number when adding the internationalprefix (44 in this example)Page | 6NOTE on SMS command caller IDConfigure the parameter SMS command caller ID, enter the MSISDN (mobile phone number) that will be issuing CLI commands to the TransPort router. This needs to include the country code but without the + sign. For example for a UK mobile phone number 0797******* the number entered would be 447976123456. A different MSISDN can be entered on each line.Accepting SMS commands from any mobile numberWhen the SMS Command Caller ID is set to an asterisk character ”*” instead of an MSISDN, the TransPort router will accept and execute CLI commands from any MSISDN.SMS access levelThe parameter SMS access level will need to match the level required by the command sent by SMS for the command to be accepted. To execute all CLI commands, this should be set to Super.Multiple CLI commands in a single SMSSMS Command Separator, more than 1 CLI command may be sent per SMS, the CLI commands need to be separated by a character that will not be used in the CLI command, e.g. %To receive feedback on the outcome of the CLI command, the parameter SMS Replies should beset to On.Page | 7Consider an example scenario where the username and password of a PPP interface need to be changed remotely. Using the CLI the commands would be as follows:ppp 1 username <my-user>ppp 1 password <my-pass>config 0 saverebootAssuming that the command separator has been configured as % the SMS would be required would be: ppp 1 username my-user%ppp 1 password my-pass%config 0 save%rebootPlease note:Concatenate replies:There is normally a limit of 160 characters per SMS but concatenation of messages is allowed. Normally an SMS message is limited to 160 characters. However, the ETSI standard specifies a way to allow a number of SMS messages to be linked together by the sender (in this case the router). This enables the router to reply with long responses to SMS commands of longer than 160 characters. The reply comes back as a series of linked SMS messages which the phone reassembles and displays as one big message.To allow the TransPort router to send/receive concatenated messages, on the web interface the “Concatenate replies” box must be ticked.Page | 8SMS receipt and actions from the SMS are logged in the event logger.Here is an excerpt from the eventlog after a router is sent the commands in the example scenario above from a mobile phone(0752*******)Note: 0 replaced by 44 for UKThe key lines from the event logger are listed below.12:09:25, 15 Aug 2012,PPP 1 down,Rebooting12:09:25, 15 Aug 2012,Par change by MODEM 0, ppp 1 username to my-user12:09:25, 15 Aug 2012,SMS Received: 447522954965: Ppp 1 username my-user%ppp1 password my-pass%confi,ExecutedThe following line from config.da0 also shows that the SMS updated the configuration.config last_saved_user "MODEM 0"Page | 9The following commands will configure SMS administration from the command line.modemcc 0 sms_interval 1modemcc 0 sms_callerid “447522954965”modemcc 0 sms_cmd_sep %modemcc 0 sms_access 0modemcc 0 sms_replies onPage | 10。

Application Note 48 WPA Enterprise Wi-Fi Client to DigiTransPortSeptember 20161 Introduction (4)1.1 Outline (4)1.2 Assumptions (5)1.1 Corrections (5)1.2 Version (5)2 Digi TransPort router configuration (6)2.1 Configuration overview (6)2.2 LAN interface configuration (6)2.3 WAN interface configuration (7)2.4 Wi-Fi Access Point configuration (8)2.5 DHCP “Wi-Fi only” configuration (optional) (9)3 Radius server configuration (10)3.1 Configuration overview (10)3.2 Create ZeroShell live CD (10)3.3 Configure network settings (10)3.4 Configure profile and save settings (11)3.5 Generate CA certificate and private key (13)3.6 Create remote user account (14)3.7 Export remote user certificate (15)3.8 Create authorized client (16)4 Wi-Fi client configuration (17)5 Additional notes (22)6 Testing (23)7 TransPort router configuration file and firmware version (24)7.1 TransPort router configuration file (24)7.2 TransPort router firmware version (26)Figure 1: Network diagram (4)Figure 2: LAN interface configuration (6)Figure 3: WAN interface configuration (7)Figure 4: Wi-Fi Access Point configuration (8)Figure 5: Set DHCP to “Wi-Fi only” (9)Figure 6: Save ZeroShell profile (11)Figure 7: Populate profile parameters (12)Figure 8: View / amend profile (12)Figure 9: Customize the CA and generate certificate / private key (13)Figure 10: Warning for CA setup (13)Figure 11: Create remote user account (14)Figure 12: Export remote user certificate (15)Figure 13: Create authorized client (16)Figure 14: DHCP status (23)Figure 15: Wi-Fi client connected (23)1.1OutlineFigure 1: Network diagramDigi TransPort – 192.168.1.1Radius server – 192.168.1.150Radius clients – 192.168.1.100 – 192.168.1.119This Application Note shows the steps required to configure secure access for a Wi-Fi client to a Digi TransPort router that is configured as a Wi-Fi Access Point. Access for the client is authenticated using WPA-Enterprise (also known as WPA-802.1X) via a Radius server.The particular example described in this document demonstrates how to connect an Android mobile phone to a Digi TransPort WR41v2 Wi-Fi Access Point, using WPA-802.1X (EAP-TLS) via a Linux-based Radius server for authentication. In Access Point mode the TransPort router acts simply as a “relay agent” between the client and the Radius server – that is, the authentication process occurs between the client and the server, with the TransPort router forwarding packets as necessary between the two devices.To complete all of the steps shown in this Application Note, it is necessary to download the ZeroShell Linux distribution and to run it on a device that the Digi TransPort router can reach on a local test network. The example network described in this Application Note is shown in the diagram above.Wi-Fi security is a complex subject. The following Wikipedia page contains a good overview of WPA in general, and is useful for understanding how WPA-Enterprise/802.1X and EAP-TLS fit into the overall architecture of WPA: /wiki/Wi-Fi_Protected_Access1.2AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi TransPort router and to configure it with basic routing functions.This Application Note applies to:Model: Digi TransPort WR41v2 with Wi-Fi optionOther Compatible Models: Digi TransPort DR64 and WR44 models with Wi-Fi optionFirmware versions: 5.123 and laterConfiguration: This Application Note assumes that the devices are set to their factory default configurations. Most configuration commands are shown only if they differ from the factory default.1.1CorrectionsRequests for corrections or amendments to this application note are welcome and should be addressed to: *********************Requests for new application notes can be sent to the same address.1.2Version2.1Configuration overviewThe TransPort router configuration requires the following steps:∙LAN interface configuration∙WAN interface configuration∙Wi-Fi Access Point configuration∙DHCP “Wi-Fi only” configuration (Optional)On any production implementation, it is strongly recommended that some of the TransPort router’s default settings are changed. These changes should normally include, but are not limited to:∙Change the default usernames and passwords∙Change the default IP addressing scheme∙Configure and activate the firewall2.2LAN interface configurationCONFIGURATION - NETWORK > INTERFACES > ETHERNET > ETH 0The example configuration described in this document uses default settings for ETH 0.Therefore ETH 0 should already be configured as follows:Figure 2: LAN interface configuration2.3WAN interface configurationCONFIGURATION > NETWORK > INTERFACES > MOBILE > MOBILE SETTINGSIn this example the WR41v2 has a cellular connection as its WAN interface. This is configured as PPP 1. If a PIN number is required for the mobile connection this will also need to be entered here.For most implementations only the APN will need to be entered:Figure 3: WAN interface configuration2.4Wi-Fi Access Point configuration CONFIGURATION > NETWORK > INTERFACES > WI-FI > WI-FI 0Figure 4: Wi-Fi Access Point configuration2.5DHCP “Wi-Fi only” configuration (optional)CONFIGURATION > NETWORK > DHCP SERVER > DHCP SERVER FOR ETHERNET 0If DHCP is required only for Wi-Fi clients, this setting can be used to assign the DHCP pool to the Wi-Fi clients only:Figure 5: Set DHCP to “Wi-Fi only”3.1Configuration overviewIn this Application Note the ZeroShell Linux distribution (booted from live CD) is used to configure a Radius server for WPA authentication of the Wi-Fi clients.The latest version of ZeroShell can be downloaded from: /eng/download/Steps 3.2 to 3.4 below are specific to downloading and configuring ZeroShell.Steps 3.5 to 3.8 below apply generally to configuring any Radius server.3.2Create ZeroShell live CDDownload the latest version of the ZeroShell server from the website above. There are a number of versions available. T he “ISO image for CD” version 2.0.RC1 was used for this Application Note.Create a CD containing this image using appropriate CD-burning software.A recommended free program for Windows is: http://cdburnerxp.se/en/homeWhen the CD has been created, choose as appropriate computer to act as the Radius server and boot it from the CD (it may be necessary to change the boot device order on the computer). For this example an old laptop was used, because ZeroShell does not require especially fast computer hardware.3.3Configure network settingsOnce the ZeroShell server has booted from the CD, a text interface is used to configure the IP address, mask and gateway and to set the admin password:∙Type option: <I> IP Manager∙Select: <M> Modify IP address∙Press Enter to configure the default Ethernet address: Interface [ETH00]:∙Press Enter once more: IP to modify [1]:∙Type in the IP address for this interface. For this example 192.168.1.150 was used for the server address: IP [192.168.1.1]: 192.168.1.150∙Type in the subnet mask to be used for this connection. For this example the default 24-bit mask is correct, so simply pressing Enter leaves the mask as the default value: Netmask [255.255.255.0]:∙IP Status should be showing as “up”: IP status [up]:∙Press Enter to return to the previous menu∙Type option: <G> Set Default Gateway∙Enter the default gateway addressFor this example 192.168.1.1 was used: Default Gateway: 192.168.1.1∙Type option: <Q> Quit (to previous menu)∙Type option: <P> Change admin password∙If prompted for the current admin password, type in the existing password - by default this may be ‘ZeroShell’. However the default password may simply be blank, therefore it may be possible tosimply press Enter when prompted for the current admin password.∙Enter the new password: New admin password: <NEW_PASSWORD>∙Confirm the new password:Confirm password: <NEW_PASSWORD>It should now be possible to navigate to https://192.168.1.150 to begin to configure the ZeroShell server via its web interface. Log in with the username admin plus the admin password that was configured via the text interface.3.4Configure profile and save settingsThis step ensures that the ZeroShell server’s settings can be saved to a USB flash drive or hard drive, since the live CD is read-only. ZeroShell supports the saving of profiles to disks with ext2, ext3, ReiserFS or FAT32 filesystems. It includes an in-built formatting utility, so for example it is possible to format a USB flash drive from within the ZeroShell interface. For this example an ext3-formatted USB flash drive was used.∙Select Setup from the System section of the left hand menu∙Select Profiles∙Select a partition to save the profile to – it may take a short while for the drive scan to complete:Figure 6: Save ZeroShell profileA pop-up window will then prompt for the following parameters:∙Enter a Description∙Enter the Hostname (FQDN) of the server∙Enter a Kerberos 5 Realm∙Enter the LDAP Base∙Enter and confirm the Admin Password in the next two fields∙Select the correct Ethernet Interface (or accept the default if this is correct)∙Enter the IP Address/Netmask and Default Gateway∙Click CreateFigure 7: Populate profile parametersSaved profiles can be activated, deactivated, deleted or backed up from the following page:Figure 8: View / amend profile3.5Generate CA certificate and private keyPlease note: any desired changes to the default parameters for the CA (please see lower section in Figure 9 below) need to be applied before following the steps below:∙Select X.509 CA from the Security section on the left hand menu∙Select Setup∙Enter the Common Name you wish to use for the CA certificate∙Enter the Key Size∙Enter the Country Name∙Enter the State or Province∙Enter the Locality∙Enter the Organization∙Enter the Operational Unit∙Enter the Email Address∙Click Generate on the right side of the web interfaceFigure 9: Customize the CA and generate certificate / private keyA prompt will be seen warning that existing certificates will be deleted - click OK to proceed:Figure 10: Warning for CA setupIt is necessary to configure one or more remote user accounts, to enable Wi-Fi clients to authenticate with the Radius server. For this example only one remote user is configured:∙Select Users under the Users section of the left hand menu∙Click Add∙Enter a Username for the remote user∙Enter a Firstname∙Enter a Lastname∙Enter a Password then Confirm by entering it again - in this example testuserpass was used∙Other fields such as Description and E-Mail are optional∙Click Submit on the right side of the web interfaceFigure 11: Create remote user accountThe ZeroShell server will now provide the option to export the user certificate – please see section 3.7 below.This example uses an Android mobile phone as the remote access client, so it is necessary to export the user certificate using the standard “.pfx” format so that it can be imported into the Android phone. The user certificate includes the Radius server’s private key in addition to the certificate itself. The file should be protected with a password, so before clicking Export please ensure that the Protected by password option is ticked as shown:Figure 12: Export remote user certificateThis ensures that the “.pfx” file is protected by the password that was configured in the above step to create the user account. When the file is imported into the Android phone, the password will need to be entered to allow the certificate to be installed.3.8Create authorized clientIt is necessary add the TransPort router as an authorized client in order to allow it to communicate with the ZeroShell server, and therefore to relay authentication traffic from and to the Wi-Fi client. Authentication between the TransPort router and the ZeroShell server is via a shared secret:∙Select Radius under the Users section of the left hand menu∙Select Authorized Clients∙Enter the Client Name (NAS ID) – in this example BAY24 was used∙Enter the IP or Subnet of the TransPort router – in this example 192.168.1.1/32 was used∙Enter the Shared Secret –this must be the same as the “Radius server password” that was configured in the TransPort router - in this example digitest was used∙Click + to add this clientFigure 13: Create authorized clientFirstly the “.pfx” file generated for the Wi-Fi client user in the section above needs to be transferred to the Android phone.Before it is transferred the file extension must be changed from “.pfx” to “.p12” to enable the Android phone to recognise and install it.The file transfer can be achieved in a number of ways, including via a USB cable, by email to an account that the Android phone has access to, via a network share or by using an Internet-based file storage service such as Dropbox.Depending on the model of Android device and the version of the Android operating system, it may be necessary to ensure that the “.p12” certificate file is transferred to an “external SD card”, rather than to the phone’s internal flash memory, in order for the phone to be able to find it.Once the “.p12” file has been transferred to the Android phone, follow the steps below. Please note that the user interface varies between models of Android device and between versions of the Android operating system. The following screenshots are from a Samsung Galaxy S running Android version 2.2:∙Ensure Wi-Fi is enabled∙Press the Home button∙Press the Menu button∙Select Settings:∙Select Location and security:∙Select Install encrypted certificates:The phone should find the previously transferred “.p12” file, then prompt for the password that is protecting the file.∙Enter the password then click OK– in this example the remote user account was created in ZeroShell with the password testuserpass, so this is the password required to access the file:∙The phone should confirm the certificate name and that it contains a user key, a user certificate and a CA certificate. Click OK to install it:∙Return to the main Settings menu, then select Wireless and network:∙Select Wi-Fi settings:∙Select the TransPort router’s Wi-Fi access point from the list of available networks:∙Set the EAP method to TLS, select the previously installed certificate from the drop-down list as the User certificate, enter the Identity (this is the username configured for the remote access user on the ZeroShell Radius server, in this example it is Digi_Test_User), leave the password blank thenclick Connect:The Android phone should connect successfully to the Wi-Fi access point, by authenticating with the Radius server using the identity (username) plus the user certificate.When the TransPort router is operating in Wi-Fi Access Point mode, the authentication process takes place between the Wi-Fi client and the Radius server. The TransPort router acts simply as a “relay agent” between the client and server, forwarding packets as necessary between the two devices.During testing it was found that it was possible for the Android client to authenticate with the ZeroShell server without the user certificate. This was achieved by setting the EAP mode to PEAP, then using the password that was set up for the remote user account in the ZeroShell server in place of the certificate (in this example the password was testuserpass).It may be possible to force ZeroShell (or other Radius server) to authenticate via certificate only. If this is not possible with the Radius server being used, omitting the password from the Android configuration will ensure that it must authenticate using the certificate. Of course, it may be desirable in certain implementations to authenticate via password only rather than certificate.The important point is that the TransPort router is not involved in the authentication process between the Wi-Fi client and the Radius server (although the TransPort router must authenticate itself with the Radius server, in order for the Radius server to allow it to forward authentication traffic from the client).Therefore care should be taken to ensure that the Radius server and the client are configured correctly to ensure that the desired method of authentication is enforced.Issuing the following command will show that the TransPort router has issued an IP address via DHCP to the Android Wi-Fi client:dhcp 0 statusEntry: IP [192.168.1.100], hostname [], MAC [b4:07:f9:c0:88:43], expiry 20154 (mins)OKThis information can also be seen on the following page in the web interface:MANAGEMENT - NETWORK STATUS > DHCP STATUSFigure 14: DHCP statusMANAGEMENT - NETWORK STATUS > INTERFACES > WI-FIThis page in the web interface shows that the Android Wi-Fi client is connected:Figure 15: Wi-Fi client connectedThe Android client should be able to access the internet through the TransPort router’s cellular data connection.7.1TransPort router configuration file wifinode 0 descr "BAY Access"wifinode 0 ssid "BAY_Access"wifinode 0 security "wparadius"eth 0 IPaddr "192.168.1.1"eth 0 bridge ONaddp 0 enable ONlapb 0 ans OFFlapb 0 tinact 120lapb 1 tinact 120lapb 3 dtemode 0lapb 3 asyport 5lapb 3 mux_0710 ONlapb 4 dtemode 0lapb 4 dlc 1lapb 4 asyport 5lapb 4 virt_async "mux0"lapb 4 mux_0710 ONlapb 5 dtemode 0lapb 5 dlc 2lapb 5 asyport 5lapb 5 virt_async "mux1"lapb 5 mux_0710 ONlapb 6 dtemode 0lapb 6 dlc 3lapb 6 asyport 5lapb 6 virt_async "mux2"lapb 6 mux_0710 ONip 0 cidr ONdef_route 0 ll_ent "ppp"def_route 0 ll_add 1dhcp 0 IPmin "192.168.1.100"dhcp 0 respdelms 500dhcp 0 wifionly ONdhcp 0 mask "255.255.255.0"dhcp 0 gateway "192.168.1.1"dhcp 0 DNS "192.168.1.1"ppp 0 timeout 300ppp 1 name "W-WAN (Edge 2.5G)"ppp 1 phonenum "*98*1#"ppp 1 IPaddr "0.0.0.0"ppp 1 timeout 0ppp 1 use_modem 1ppp 1 aodion 1ppp 1 autoassert 1ppp 1 ipanon ONppp 1 r_chap OFFppp 3 defpak 16ppp 4 defpak 16modemcc 0 asy_add "mux1"modemcc 0 info_asy_add "mux2"modemcc 0 init_str "+CGQREQ=1" modemcc 0 init_str1 "+CGQMIN=1" modemcc 0 apn "internet"modemcc 0 link_retries 10modemcc 0 stat_retries 30modemcc 0 sms_interval 1modemcc 0 sms_access 1modemcc 0 sms_concat 0modemcc 0 init_str_2 "+CGQREQ=1" modemcc 0 init_str1_2 "+CGQMIN=1" modemcc 0 apn_2 "Your.APN.goes.here" modemcc 0 link_retries_2 10modemcc 0 stat_retries_2 30modemcc 0 sms_interval_2 1modemcc 0 sms_access_2 1modemcc 0 sms_concat_2 0ana 0 anon ONana 0 l1on ONana 0 xoton OFFana 0 lapdon 0ana 0 lapbon 0cmd 0 unitid "ss%s>"cmd 0 cmdnua "99"cmd 0 hostname "digi.router"cmd 0 asyled_mode 2cmd 0 tremto 1200user 0 access 0user 1 name "username"user 1 epassword "KD5lSVJDVVg="user 1 access 0user 2 access 0user 3 access 0user 4 access 0user 5 access 0user 6 access 0user 7 access 0user 8 access 0user 9 access 0local 0 transaccess 2sslsvr 0 certfile "cert01.pem"sslsvr 0 keyfile "privrsa.pem"radcli 1 nasid "BAY24"radcli 1 server "192.168.1.150"radcli 1 epassword "PDZxU1FJVEg=" ssh 0 hostkey1 "privSSH.pem"ssh 0 nb_listen 5ssh 0 v1 OFFidigi 0 ssl ONidigi 0 sms_optin ON7.2TransPort router firmware versionDigi TransPort WR41-G1T1-WV1-XX(WR41v2) Ser#:164895Software Build Ver5.2.15.4. Jun 22 2016 04:58:22 MWARM Bios Ver 6.75 v41 399MHz B256-M256-F80-O100,0 MAC:00042d02841f Async Driver Revision: 1.19 Int clkWi-Fi Revision: 2.0Ethernet Driver Revision: 1.11Firewall Revision: 1.0EventEdit Revision: 1.0Timer Module Revision: 1.1(B)USBHOST Revision: 1.0L2TP Revision: 1.10PPTP Revision: 1.00TACPLUS Revision: 1.00MODBUS Revision: 0.00RealPort Revision: 0.00MultiTX Revision: 1.00LAPB Revision: 1.12X25 Layer Revision: 1.19MACRO Revision: 1.0PAD Revision: 1.4V120 Revision: 1.16TPAD Interface Revision: 1.12GPS Revision: 1.0SCRIBATSK Revision: 1.0BASTSK Revision: 1.0PYTHON Revision: 1.0ARM Sync Driver Revision: 1.18TCP (HASH mode) Revision: 1.14TCP Utils Revision: 1.13PPP Revision: 1.19WEB Revision: 1.5SMTP Revision: 1.1FTP Client Revision: 1.5FTP Revision: 1.4IKE Revision: 1.0PollANS Revision: 1.2PPPOE Revision: 1.0BRIDGE Revision: 1.1MODEM CC (Siemens MC75) Revision: 1.4FLASH Write Revision: 1.2Command Interpreter Revision: 1.38SSLCLI Revision: 1.0OSPF Revision: 1.0BGP Revision: 1.0QOS Revision: 1.0PWRCTRL Revision: 1.0RADIUS Client Revision: 1.0SSH Server Revision: 1.0SCP Revision: 1.0CERT Revision: 1.0LowPrio Revision: 1.0Tunnel Revision: 1.2OVPN Revision: 1.2QDL Revision: 1.0WiMax Revision: 1.0iDigi Revision: 2.0。

Quick Note 061Main Mode IPsec IKEv1 VPN from TransPort to StrongSwan using Preshared key22 August 20171Introduction (3)1.1Introduction (3)1.2Network Diagram (3)1.3Outline (4)1.4Assumptions (4)1.5Corrections (4)1.6Version (4)2TransPort Configuration (5)2.1Local Ethernet Interface Configuration (5)2.1WAN interface configuration (6)2.1Tunnel Configuration (7)2.1.1Phase 1 Settings (7)2.1.2Phase 2 settings (8)2.2Configure users (10)3StrongSwan Configuration (11)3.1Configure Ethernet Interfaces (11)3.1.1WAN Interface (11)3.1.2Local Interface (11)3.2Install StrongSwan (11)3.3Configure StrongSwan (13)3.3.1IPsec VPN Configuration (13)3.4Start/Restart the StrongSwan IPsec daemon (16)4Check Tunnel Status (17)4.1Digi TransPort (17)4.2StrongSwan (18)5Testing (19)5.1TransPort side (19)5.2StrongSwan side (19)6TransPort Configuration (20)1.1IntroductionThis document describes how to configure a VPN IPsec tunnel between a Digi TransPort WR to and a StrongSwan server using Main Mode, IKEv1 and pre-shared key authentication.1.2Network DiagramTransPort WR RouterStrongSwan1.3OutlineThis guide details the steps involved in configuring a Digi TransPort router to act as an IPsec VPN client to a StrongSwan appliance configured as an IPsec VPN server using Main Mode, IKEv1 and pre-shared key authentication. This example as sumes that both equipment’s are not behind a NAT box.1.4AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi TransPort router and configure it with basic routing functionsThis application note applies to:Model: Digi TransPort WR11/21/31/41/44Firmware versions:WR21: 5.2.17.10 and laterConfiguration: This document assumes that the devices are set to their factory default configurations. Most configuration commands are shown only if they differ from the factory default. Please note: This application note has been specifically rewritten for the specified firmware versions and later but will work on earlier versions of firmware. Please contact ********************* if your require assistance in upgrading the firmware of the TransPort WR routers.1.5CorrectionsRequests for corrections or amendments to this application note are welcome and should be addressed to: ********************* Requests for new application notes can be sent to the same address.1.6Version2.1Local Ethernet Interface ConfigurationNavigate to Configuration – Network > Interfaces > Ethernet > Ethernet 02.1WAN interface configurationIn this example, the mobile interface will be used as the WAN interface on which the IPsec tunnel will be established.Navigate to:Configuration – Network > Interfaces > MobilePlease note: If required, enter a SIM PIN and Username/Password for this SIM card and APN.2.1Tunnel ConfigurationOpen a web browser to the IP address of the TransPort WR21 router. 2.1.1Phase 1 SettingsNavigate to:Configuration – Network > Virtual Private Network (VPN) >IKE > IKE 02.1.2Phase 2 settingsNavigate to:Configuration – Network > Virtual Private Network (VPN) > IPsec > IPsec 0 – 9 > IPsec 0Click Apply2.2Configure usersNavigate to Configuration - Security > Users > User 0-9 > User 9Here the pre-shared key is configured using the WAN IP address of the StrongSwan. The username value should therefore match the Peer ID set in the IPsec configuration above:3.1Configure Ethernet Interfaces3.1.1WAN InterfaceConfigure the WAN interface for the StrongSwan Server. In this example, the Ethernet interface used for WAN is called ens33root@ubuntu:/home/digi# ifconfig ens33 192.168.1.118root@ubuntu:/home/digi# ifconfig ens33 netmask 255.255.255.0root@ubuntu:/home/digi# route add default gw 192.168.1.254 ens333.1.2Local InterfaceConfigure the Local interface for the StrongSwan Server. In this example, the Ethernet interface used for LAN is called enx00249b09ef56root@ubuntu:/home/digi# ifconfig enx00249b09ef56 100.10.10.2root@ubuntu:/home/digi# ifconfig enx00249b09ef56 netmask 255.255.255.03.2Install StrongSwanDepending on the Linux distribution, the installation of StrongSwan might defer. In this document, Ubuntu is used. Please refer to for further installation instructions. The easiest way t o install StrongSwan is via the “apt-get install strongswan” CLI command:digi@ubuntu:~$ sudo apt-get install strongswanReading package lists... DoneBuilding dependency treeReading state information... DoneThe following additional packages will be installed:libstrongswan libstrongswan-standard-plugins strongswan-charonstrongswan-libcharon strongswan-starterSuggested packages:libstrongswan-extra-plugins libcharon-extra-pluginsThe following NEW packages will be installed:libstrongswan libstrongswan-standard-plugins strongswan strongswan-charon strongswan-libcharon strongswan-starter0 upgraded, 6 newly installed, 0 to remove and 59 not upgraded.Need to get 3,731 kB of archives.After this operation, 16.1 MB of additional disk space will be used.Do you want to continue? [Y/n] yGet:1 /ubuntu xenial-updates/main amd64 libstrongswan amd64 5.3.5-1ubuntu3.4 [1,398 kB]Get:2 /ubuntu xenial-updates/main amd64 strongswan-libcharon amd64 5.3.5-1ubuntu3.4 [1,241 kB]Get:3 /ubuntu xenial-updates/main amd64 strongswan-starter amd64 5.3.5-1ubuntu3.4 [742 kB]Get:4 /ubuntu xenial-updates/main amd64 strongswan-charon amd64 5.3.5-1ubuntu3.4 [55.6 kB]Get:5 /ubuntu xenial-updates/main amd64libstrongswan-standard-plugins amd64 5.3.5-1ubuntu3.4 [267 kB]Get:6 /ubuntu xenial-updates/main amd64strongswan all 5.3.5-1ubuntu3.4 [27.1 kB]Fetched 3,731 kB in 12s (307 kB/s) Preconfiguring packages ...Selecting previously unselected package libstrongswan.(Reading database ... 175214 files and directories currently installed.) Preparing to unpack .../libstrongswan_5.3.5-1ubuntu3.4_amd64.deb ...Unpacking libstrongswan (5.3.5-1ubuntu3.4) ...Selecting previously unselected package strongswan-libcharon.Preparing to unpack .../strongswan-libcharon_5.3.5-1ubuntu3.4_amd64.deb ... Unpacking strongswan-libcharon (5.3.5-1ubuntu3.4) ...Selecting previously unselected package strongswan-starter.Preparing to unpack .../strongswan-starter_5.3.5-1ubuntu3.4_amd64.deb ... Unpacking strongswan-starter (5.3.5-1ubuntu3.4) ...Selecting previously unselected package strongswan-charon.Preparing to unpack .../strongswan-charon_5.3.5-1ubuntu3.4_amd64.deb ... Unpacking strongswan-charon (5.3.5-1ubuntu3.4) ...Selecting previously unselected package libstrongswan-standard-plugins. Preparing to unpack .../libstrongswan-standard-plugins_5.3.5-1ubuntu3.4_amd64.deb ...Unpacking libstrongswan-standard-plugins (5.3.5-1ubuntu3.4) ...Selecting previously unselected package strongswan.Preparing to unpack .../strongswan_5.3.5-1ubuntu3.4_all.deb ...Unpacking strongswan (5.3.5-1ubuntu3.4) ...Processing triggers for man-db (2.7.5-1) ...Setting up libstrongswan (5.3.5-1ubuntu3.4) ...Setting up strongswan-libcharon (5.3.5-1ubuntu3.4) ...Setting up strongswan-starter (5.3.5-1ubuntu3.4) ...Setting up strongswan-charon (5.3.5-1ubuntu3.4) ...Setting up libstrongswan-standard-plugins (5.3.5-1ubuntu3.4) ...Setting up strongswan (5.3.5-1ubuntu3.4) ...Please note: All commands have to be used in elevated or super user mode. For ease of configuration, this document will use the root user (not recommended). In most case, using “sudo” in front of each commands will provide the expected result.3.3Configure StrongSwan3.3.1IPsec VPN ConfigurationThe IPsec configuration of StrongsWan is done via 2 main files (when using pre-shared keys as in this example):-ipsec.conf : Used for Phase 1 (IKE) and Phase 2 IPsec configuration-ipsec.secrets : Used for pre-shared keysIn this example, the following Phase 1 settings will be used:-AES (128 bit)-SHA 1-MODP Group 2-Main ModeIn this example, the following Phase 2 settings will be used:-AES (128 bit)-SHA 1-No PFS-ID Types : IPv4-Preshared Keys3.3.1.1ipsec.confEdit the ipsec.conf file using a text editor such as vi: config setupconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=%foreverkeyexchange=ikev1authby=secretconn peer1-peer2left=192.168.1.118leftsubnet=100.10.10.0/24leftfirewall=yesright=%anyrightallowany=yesrightsubnet=10.0.0.0/24auto=startcloseaction=restartike=aes128-sha1-modp1024esp=aes128-sha1type=tunnelkeyingtries=%forevertype :wq to save and close3.3.1.2ipsec.secretsEdit the ipsec.secrets file using a text editor such as vi:192.168.1.118 : PSK "digidigi"192.168.1.23 : PSK "digidigi"type :wq to save and close3.4Start/Restart the StrongSwan IPsec daemonOnce the files are modified, the changes will only take effect after reloading the StrongSwan daemon. To do so, issue the following command:root@ubuntu:/home/digi# ipsec restartStopping strongSwan IPsec...Starting strongSwan 5.3.5 IPsec [starter]...4.1Digi TransPortNavigate to Management – Connections > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec Tunnels 0 – 9 > IPsec Tunnels 0-9Via CLI:sastatCommand: sastatCommand resultIPsec SAs (total:1). Eroute 0 -> 49Outbound V1 SAsSPI Eroute Peer IP Rem. subnet Loc. subnet TTL KBytes Left VIPc3b444ae 0 192.168.1.118 100.10.10.0/24 10.0.0.0/24 28648 0 N/AInbound V1 SAsSPI Eroute Peer IP Rem. subnet Loc. subnet TTL KBytes Left VIP6eb46719 0 192.168.1.118 100.10.10.0/24 10.0.0.0/24 28648 0 N/AOutbound V2 SAsList EmptyInbound V2 SAsList EmptyOK4.2StrongSwanroot@ubuntu:/home/digi# ipsec statusallStatus of IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-28-generic,x86_64):uptime: 29 seconds, since Aug 22 06:25:17 2017malloc: sbrk 1486848, mmap 0, used 344640, free 1142208worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updownListening IP addresses:192.168.1.118100.10.10.2Connections:peer1-peer2: 192.168.1.118...%any,0.0.0.0/0,::/0 IKEv1peer1-peer2: local: [192.168.1.118] uses pre-shared key authenticationpeer1-peer2: remote: uses pre-shared key authenticationpeer1-peer2: child: 100.10.10.0/24 === 10.0.0.0/24 TUNNELSecurity Associations (1 up, 0 connecting):peer1-peer2[1]: ESTABLISHED 22 seconds ago,192.168.1.118[192.168.1.118]...192.168.1.23[192.168.1.23]peer1-peer2[1]: IKEv1 SPIs: 6eb06982e84e8679_i 208d286522e19369_r*, pre-shared key reauthentication in 54 minutespeer1-peer2[1]: IKE proposal:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024peer1-peer2{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5e3c54_i 6eb4671a_o peer1-peer2{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutespeer1-peer2{1}: 100.10.10.0/24 === 10.0.0.0/24To simply test the tunnel, generate a ping from each side of the tunnel and ping the remote end’s ethernet interface.5.1TransPort sideCommand: ping 100.10.10.2 –e0Command resultPinging Addr [100.10.10.2]sent PING # 1PING receipt # 1 : response time 0.00 secondsIface: PPP 1Ping StatisticsSent : 1Received : 1Success : 100 %Average RTT : 0.00 secondsOK5.2StrongSwan sideroot@ubuntu:/home/digi# ping 10.0.0.1PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.64 bytes from 10.0.0.1: icmp_seq=1 ttl=250 time=2.30 ms64 bytes from 10.0.0.1: icmp_seq=2 ttl=250 time=1.30 ms64 bytes from 10.0.0.1: icmp_seq=3 ttl=250 time=1.56 ms64 bytes from 10.0.0.1: icmp_seq=4 ttl=250 time=1.28 ms64 bytes from 10.0.0.1: icmp_seq=5 ttl=250 time=1.35 ms64 bytes from 10.0.0.1: icmp_seq=6 ttl=250 time=1.38 ms^C--- 10.0.0.1 ping statistics ---6 packets transmitted, 6 received, 0% packet loss, time 5010msrtt min/avg/max/mdev = 1.287/1.532/2.304/0.358 mseth 0 IPaddr "10.0.0.1"addp 0 enable ONlapb 0 ans OFFlapb 0 tinact 120lapb 1 tinact 120lapb 3 dtemode 0lapb 4 dtemode 0lapb 5 dtemode 0lapb 6 dtemode 0ip 0 cidr ONdef_route 0 ll_ent "ppp"def_route 0 ll_add 1eroute 0 descr "StrongSwan"eroute 0 peerip "192.168.1.118" eroute 0 peerid "192.168.1.118" eroute 0 ourid "192.168.1.23" eroute 0 ouridtype 3eroute 0 locip "10.0.0.0"eroute 0 locmsk "255.255.255.0" eroute 0 locipifadd 1eroute 0 remip "100.10.10.0" eroute 0 remmsk "255.255.255.0" eroute 0 ESPauth "SHA1"eroute 0 ESPenc "AES"eroute 0 authmeth "PRESHARED" eroute 0 nosa "TRY"eroute 0 autosa 2eroute 0 enckeybits 128dhcp 0 respdelms 500dhcp 0 mask "255.255.255.0"dhcp 0 gateway "192.168.1.1"dhcp 0 DNS "192.168.1.1"sntp 0 server "" ppp 0 timeout 300ppp 1 name "W-WAN"ppp 1 phonenum "*98*1#"ppp 1 username "username"ppp 1 epassword "KD5lSVJDVVg=" ppp 1 IPaddr "0.0.0.0"ppp 1 timeout 0ppp 1 do_nat 2ppp 1 ipsec 1ppp 1 use_modem 1ppp 1 aodion 1ppp 1 autoassert 1ppp 1 r_chap OFFppp 3 defpak 16ppp 4 defpak 16web 0 prelogin_info ONike 0 encalg "AES"ike 0 keybits 128ike 0 authalg "SHA1"ike 0 ikegroup 2ike 0 noresp ONike 0 deblevel 4ike 0 debug ONana 0 anon ONana 0 l2on OFFana 0 l3on OFFana 0 xoton OFFana 0 lapdon 0ana 0 lapbon 0ana 0 ikeon ONana 0 logsize 45cmd 0 unitid "ss%s>"cmd 0 cmdnua "99"cmd 0 hostname "digi.router"cmd 0 asyled_mode 2cmd 0 tremto 1200cmd 0 rcihttp ONuser 0 access 0user 1 name "username"user 1 epassword "KD5lSVJDVVg="user 1 access 0user 2 access 0user 3 access 0user 4 access 0user 5 access 0user 6 access 0user 7 access 0user 8 access 0user 9 name "192.168.1.118"user 9 epassword "PDZxU0FFQFU="user 9 access 4local 0 transaccess 2sslsvr 0 certfile "cert01.pem"sslsvr 0 keyfile "privrsa.pem"ssh 0 hostkey1 "privSSH.pem"ssh 0 nb_listen 5ssh 0 v1 OFFcloud 0 clientconn ONcloud 0 ssl ONOKPage | 21。

Test a WR11 Router How to test a WR11 router step by step.Technical SupportDecember 20181 Introduction (3)1.1Outline (3)1.2Assumptions (3)1.3Corrections (3)1.4Version (3)2 Physical Configuration (4)2.1Equipment Required (4)2.1.1Diagram (5)3 Step by Step Instructions (6)3.1Install FlashWriter (6)3.2Download the .ALL file: (6)3.3Make the initial connections (6)3.4Launch FlashWriter (7)3.5Reviewing Flashwriter error messages (11)4 Check LEDs (12)4.1Check Service LED (12)5 Check USB Bus (13)6 Check W-WAN connectivity (14)6.1Test SIM detection switch (14)6.2Test SIM 1 (15)6.3Test SIM 2 (17)7 Check W-WAN Signal Strength (19)8 Check ETH port (20)1.1OutlineShould it happen that the boot loader becomes corrupted on a WR11 product, it is possible for an end user to re-load the boot loader by following this guide.The symptoms of a corrupted boot loader are usually as follows. When applying the power, the only LED to illuminates is the power LED. It is also possible that other “unusual” LED patterns may occur depending upon how “damaged” the boot loader is.1.2AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application.This quick note applies only to:Model: Digi Transport WR111.3CorrectionsRequests for corrections or amendments to this documentation are welcome and should be addressed to: *********************Requests for new quick notes can be sent to the same address.1.4Version2.1Equipment RequiredA PC running a Microsoft Windows TM based operating system.1. A PC connected to the Internet running a Microsoft Windows TM operating system.4. An Ethernet switch/hub to connect the PC to the WR11 (usually your normal office Ethernet switch/hub will be fine if there is a spare port)5. CAT 5 cables to connect the WR11 and PC to the Ethernet switch.2.1.1 DiagramThe following diagram represents how the equipment will be connected during the repair process:WR11 with broken boot loaderInternetOffice Ethernet switch LANEthernetPC running Microsoft Windows TMEthernetReset ButtonThe internet connection is not essential but may be useful during troubleshooting. It is essential that the PC’s Ethernet communication interface is configured correctly (e.g. it has an IP address) Also note that the Ethernet switch/hub used must have spanning tree protocol disabled.3.1Install FlashWriterInstall the latest version of FlashWriter from the following link:/support/firmware/FlashWriter.msi3.2Download the .ALL file:Download the following zip file to your PC and extract all the contents to a single folder /support/firmware/transport/flashwriter/latest/wr11-flashwriter-x.x.x.x.zip Click: /support/firmware/transport/flashwriter/latest/where X.X.X.X is the current firmware version.3.3Make the initial connections1.Connect the WR11’s Ethernet (LAN 0) port to your “office network”.2.Ensure the PC is also connected to the same “office network”3.4Launch FlashWriterLaunch Flashwriter from the start menu. Select “ETH” as the communications port number. Leave the other settings at their default values (TFTP and Event driven mode ONLY ticked):Click LoadIf your PC has more than one network adapter, be sure to select the one that represents the connection to “Office Network” illustrated in 0.If your PC only has a single network adapter this screen will not appear:In the file dialogue, select the “ALL” file you extracted from the ZIP earlier:And click “Open”.The following message will appear:It is critical that the correct selection is made at this point.Note 1: Since FlashWriter version 1.0.525 characters 6 and 7 are included in the W-WAN module name, see above.Note 2: characters 6 and 7 of the part number (SKU) on the approval label. In the example below these are “L7”:Refer to the following table to determine which selection to make:After programming in the W-WAN counter and other options, next the .ALL file will start to load:1.After reboot and checks, the following message should be displayed:This means the WR11 has been successfully recovered.At this stage the following hardware components (and more) have been successfully tested: ∙FLASH∙SDRAM∙SRAM∙ETHERNET 0∙Interface to radio module3.5Reviewing Flashwriter error messagesIf during the previous session an error occurred, please check the table below for the recommended course of action:The POWER LED should be illuminated when the device is turned on. If there is an LED fault with, please request an RMA with code:“POWER LED failure”The SIGNAL LED will be illuminated after 1-2 minutes from boot if the cellular module is working and configured properly. If the device obtains an IP address but the LED is faulty, please request an RMA with code:“SIGNAL LED failure”4.1Check Service LEDConnect the Ethernet port to a switch.Access the CLI (Command Line Interface) – this can be achieved:∙Via a telnet or SSH connection∙Via the “execute a command” page of the web user interface.Issue the “flashleds” command and check that the SERVICE LED is illuminated/blinking. If there is an LED fault please request an RMA with code:“SERVICE LED failure”Check that the W-WAN module is shown on the USB BUS of the unitAccess to the CLI (Command Line Interface) – this can be achieved:∙Via a telnet or SSH connection∙Via the “execute a command” page of the web user interface.And issue the following command:busb show2 devices should normally be present:∙Device in “BUS 1, dev1, depth 0”∙Device in “BUS 2, dev1, depth 1” (This is the radio module, if it is missing, the module may be mid power cycle, wait a few seconds and issue that command again. The text of this will vary based upon the type of module fitted. )If the device in BUS 2, dev1, depth 0 is not present, please request an RMA with code: “Cellular module not shown on USB BUS”6.1Test SIM detection switchWith the router powered off, insert a SIM card into BOTH SIM slots of the WR44V2 and open the CLI interface.Access to the CLI (Command Line Interface) – this can be achieved:∙Via a telnet or SSH connection∙Via the “execute a command” page of the web user interface.Issue the following command:simconn ?This command tells you which SIM slots are populated and also the SIM that is currently in use. The value before the comma is SIM 1 and the value after the comma is SIM 2. 1000 means that the SIM is present. 1001 means that the SIM is present and the active SIM. Here is a summary:1 = SIM not present1000 = SIM present1001 = SIM present and connectedThe output should be as follows:simconn ?simconn: 1001,1000OKShowing that SIM 1 is present and active and SIM 2 is present.If the SIM cards are physically inserted but do not show as present please request an RMA with reason “SIM DETECTION FAIL”6.2Test SIM 1Ensure that an antenna (or both if using an LTE unit) is connected and the router is located in an area with good signal strength.Navigate to:Configuration - Network > Interfaces > Advanced > PPP 1 > MobileChange W-WAN SIM: from “Any” to “SIM 1”C lick Apply.Next navigate toConfiguration - Network > Interfaces > MobileAnd select SIM 1Under“Mobile Settings”Enter the correct APN for the SIM card installed in slot 1C lick Apply.Navigate to:Management - Connections > PPP Connections > PPP 1Wait for up to 5 minutes and check for a valid IP addressYou may need to refresh the page for the new address to appear (click on >PPP 1)If a valid IP address is NOT found, please download the debug.txt and email this to Digi Technical Support (*********************) or open a case at /support/eservice/ for assistance.Instructions on how to extract the debug.txt can be found in the following application note:/support/documentation/QN_024_Extracting%20the%20debug.txt%20file%20fro m%20a%20Digi%20TransPort%20or%20Sarian%20router.pdf6.3Test SIM 2Navigate to:Configuration - Network > Interfaces > Advanced > PPP 1 > Mobile Change“W-WAN SIM: from “SIM 1” to “SIM 2”Click Apply.Next navigate toConfiguration - Network > Interfaces > MobileAnd select SIM 2And under“Mobile Settings”Enter the correct APN for the SIM card installed in slot 2Click ApplyNow Navigate to:Management - Connections > PPP Connections > PPP 1Click “Drop Link” and refresh the page by clicking >PPP 1You may need to wait up to 5 minutesA valid IP address for SIM 2 should be seen – Notice it is different to the one assigned for SIM 1If a valid IP address is NOT found, please download the debug.txt and email this to Digi Technical Support (*********************) or open a case at /support/eservice/ for assistance.Instructions on how to extract the debug.txt can be found in the following application note:/support/documentation/QN_024_Extracting%20the%20debug.txt%20file%20fro m%20a%20Digi%20TransPort%20or%20Sarian%20router.pdfWhilst the internet link is still connected from step 5, access the CLI (Command Line Interface) Access to the CLI (Command Line Interface) – this can be achieved:∙Via a telnet or SSH connection∙Via the “execute a command” page of the web user interface.And issue the following command:modemstat ?Check that the signal strength is roughly what you normally get (+/- 10dB) with the same antenna in the test location.If the signal strength is much worse than normal, make a note of the cell ID (lac:00DF ci:01B0BD51 in above example) and repeat the test on a known working WR11 that contains the same type of radio module in the same location. Ensure the known working WR11 is connected using the same antenna and connects to the same cell ID (lac:00DF ci:01B0BD51 in above example). If it does and the signal strength is much better (+ 10dB) than the suspected bad router, request an RMA from Digi technical support with code: “Cellular signal strength low”Note that it is not necessary to test Eth port 0. This was testing during the flashing process. However if you observe intermittent issues, it might be necessary to run several tests.Configure eth port 0 with a valid and free IP address on the same subnet as your test PC, e.g.eth 0 ipaddr 10.1.208.11From your PC, first clear the ARP table, from the windows command prompt and issue this command: arp –d *Then check that you can ping this IP address. If an intermittent issue is observed, let the ping run for a longer period (-t option)If it is not possible to ping this addresses and if you repeat this test on a known good WR11 and it works fine, ple ase request an RMA with code “ETH 0 test failed”.。

Release Notes (93000809)Digi TransPort LR Product FamilyVersion 3.1.0.4 – October, 2017 INTRODUCTIONThis is a production firmware release for the Digi Transport LR product family. SUPPORTED PRODUCTSDigi TransPort LR54 WiFi, LTEDigi TransPort LR54 LTEDigi TransPort LR54 LTE FIPSSUPPORTED WEB BROWSERSThe following web browsers are supported with the web interface. The latest version and the previous version of each browser have been tested.∙Google Chrome∙Firefox∙Microsoft Internet Explorer 11∙Microsoft EdgeIMPORTANT NOTICEIn the 1.5.0 release, the on-demand state has been obsoleted. This state setting will now map into the on state. The on-demand state was useful when a higher priority Ethernet WAN would failover to a cellular WAN. When on demand, the cellular connection would remain unconnected until the network failover occurred. This capability had narrow usefulness and was removed to reduce complexity.In the 1.4.0 release, the firewall rules were re-organized. The router will now automatically install rules necessary to ensure the correct operation of the device. As a result, the policy rules for the INPUT and FORWARD chains are now always configured to DROP.If you previously reconfigured the INPUT or FORWARD chain policies to ACCEPT, by upgrading to 1.4.0 or a later release, you will lose access to the router unless you have specific firewall rules to allow traffic to be received or forwarded by the router.Digi does not recommend for security reasons that you accept all traffic incoming on WAN interfaces. If you do need to add a rule to allow access, the following commands can be used:firewall –A INPUT –j ACCEPTfirewall –A FORWARD –j ACCEPTsave configFor more information on the firewall, please consult the TransPort LR User Guide.If you have any questions, please contact Digi Technical Support (*********************) KNOWN ISSUES1.WPA2-Enterprise and WPA Mixed-mode Enterprise security are currently only supported in asingle LAN [TLR-3817].2.The “show ipsec” CLI command does not parse certain advanced ipsec settings properly andmay return ERROR instead. This is a cosmetic issue [TLR-4136].3.TransPort LR devices cannot be managed by Digi Remote Manager’s Profile Manager ifprofiles have site-specific settings [TLR-4788].4.When configuring a WAN interface with 'probe-interval' and 'timeout', the 'probe-interval'must be less than the timeout interval, otherwise the default route may disappear [XOS-250].5. A fully qualified domain name (FQDN) cannot be used to configure a WAN interface “probe-host” [TLR-4908].6.Whe n changing a WAN interface “probe-host”, the device needs to be rebooted for thechange to take effect [XOS-356].RECOMMENDED CONFIGURATION CHANGESDigi recommends that the following configuration changes are made in order to ensure the correct operation of the TransPort LR device.1.Update the WAN 2 and 3 failover parameters when using SIM to SIM failover.wan 2 timeout 320wan 2 retry-after 600wan 3 timeout 320wan 3 retry-after 600HISTORY3.1.0.4 – October, 2017ENHANCEMENTS1.Python 3.6.1 support2.QoS support3.GRE Support4.VRRP support5.RADIUS server supportBUG FIXES1.Patching to address IPsec CVE-2017-11185 [TLR-7169]2.Patching to address DNS security vulnerabilities CVE-2017-13704, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496 [TLR-7262]3.The “show eth” or “show eth port” operation status always down [TLR-7264]3.0.0.5 – August, 2017ENHANCEMENTS1.IPv6 support2.OPenVPN support3.Verizon Dynamic Mobile Network Routing (DMNR) supportBUG FIXES1.Can’t import exported Remote Manager settings [TLR-5544]2.Automatically add firewall rules for IPsec tunnels [TLR-6008]1.5.0.5 – June, 2017ENHANCEMENTS1.New user-friendly Firewall IP filtering support2.Watchdog for greater system reliability3.Ability to send system and event logs to Syslog server(s)BUG FIXES1.Sporadic loss of Cellular Connectivity [TLR-5673, TLR-6079, TLR-5834, TLR-6394]1.4.0.8 – April, 2017ENHANCEMENTS1.Support for Port forwarding has been added.2.Support for an easy way to allow access for SSH and HTTPS over WAN interfaces has beenadded.3.SIM PIN support has been added.4.The Web UI has the following new pagesa.Event log viewerb.File ManagementBUG FIXES1.An issue where the device would not reconnect to the Digi Remote Manager if theconnection was lost has been resolved.2.An issue where some saved configuration changes were being lost over a reboot has beenresolved.3.An issue with the Getting Started Wizard Digi Remote Manager page has been resolved sothat the correct group is displayed.1.3.0.12 – January, 2017ENHANCEMENTS1.The Traffic Analyzer feature has been added that allows the user to capture traffic on theEthernet, Cellular and Wi-Fi interfaces, view the traffic on the CLI and save it as a pcapngformat file that is compatible with Wireshark.2. The “show tech-support” command has been added to allow the user to easily capture all ofthe information needed by the Digi Tech Support team when diagnosing issues.3.The “show dhcp” command has been added to allow the DHCP server status to be displayed.4.Traceroute support has been added5.The Web UI has the following new pagesa.Dashboarder configurationc.IPsec tunnel configurationd.Digi Remote Manager configuratione.RebootBUG FIXES1.An issue with the web server that could cause it to crash has been resolved.2. A cellular MTU issue has been resolved so that the MTU is automatically set for the connectcarrier’s network.3.An issue with default routes not being automatically added when Ethernet interface comesup as been resolved.4.An issue where a Read-Only user could write to files using SFTP/SCP has been resolved.5.Various Web UI pages have been updated to resolve minor issues.1.2.1.4 – November, 2016ENHANCEMENTSThere are no enhancements in this release.BUG FIXES1.Verizon disconnect issue2.The “Skip Wizard” button would redirect the user to initial Getting Started Wizard pageinstead of the Dashboard.3.Getting Started Wizard would show an invalid firmware image on the firmware update page.1.2.0.10 – October, 2016ENHANCEMENTSOur development has worked hard to deliver the following new features and enhancements:1.Auto-carrier selection based on SIM for AT&T, Verizon and T-Mobile2.Wi-Fi Alliance certification3.Cellular modem firmware update4.Improved Getting Started Wizard5.Vastly improved web interfaceBUG FIXES1.Various.1.1.0.6 – July, 2016Initial production release.1.0.0.4 – May, 2016Internal release.。

Quick Note 17MIB file creation and basic usage with SNMPclientsSeptember 20161Introduction (3)2Version (3)2.1Corrections (3)3Supported MIBs (4)4SNMP Configuration (5)4.1Setting up Router Specific ID information (5)4.2Checking the SNMP enterprise values. (6)5Get the MIB file from the TransPort (8)5.1Firmware Version 5212 or later (8)5.2Firmware Version up to 5202 (9)5.2.1Get the MIB data from the TransPort (9)5.2.2Generating the MIB file (11)6The basics of using MIB files with SNMP (12)7Configuration and Firmware/Hardware (15)7.1Configuration File (15)7.2Hardware and Firmware (17)This guide details the steps involved in generating a .MIB file for use with an SNMP client.This guide has been written for technically competent personnel who are familiar with the use for DIGI hardware and understand the use of SNMP.Whilst this guide is carried out using the web interface only it is perfectly feasible to carry out each stage at the command line, these commands will be highlighted at the relevant places.2.1CorrectionsRequests for corrections or amendments to this application note are welcome and should be addressed to: *********************Requests for new application notes can be sent to the same address.As well as the Device Generated MIB, described in this quick note, DIGI Transport devices also support the Sarian-Monitor MIB and a number of standard MIBs. A list of supported standard MIBs is provided below. The Sarian Monitor MIB has a restricted set of parameters that you can poll any DIGI Transport device with to retrieve statistics relating to WWAN, Config, PPP and System parameters.The DIGI Transport range of routers supports a number of standard MIBs as well as DIGI Transport MIBs, described above, these MIBs are listed below:The following standard MIBs are supported:SNMP MIB (RFC3418)Interfaces MIB (RFC2233)*IP MIB (RFC2011)IP Forwarding Table MIB (RFC2096)TCP MIB (RFC2012)UDP MIB (RFC2013)VRRP MIB (RFC2787)SNMP MPD MIB (RFC3412)SNMP USM MIB (RFC3414)*** The following groups/tables in RFC2233 are not supported:ifXTable, ifStackTable, ifRcvAddressTable** The following groups/tables in RFC3414 are not supported:usmUserTableDIGI supported MIBs:Device Generated MIBSarian-Monitor MIBPlease note: The Device Generated MIB described in this Quick Note is a MIB that is specific to the serial number, firmware release, firmware build and model number of the unit it was generated from. If the firmware is updated a new MIB file will need to be generated. The same MIB file generated on one router, cannot be used on another router, even if the hardware is identical.4.1Setting up Router Specific ID informationWhen polling the router, it is possible to have the SNMP application be able to identify the device by a unique name and provide location and contact information.Navigate to Configuration > System > Device Identity and setup the details, but enter information that relates to you:Figure 1: Optional System Information ConfigurationNext click ‘Apply’ at the bottom of the page, and then save the new configuration to flash.If configuring this option via a terminal session the commands used are listed below:snmp 0 name < Name to identify your router.>snmp 0 contact <Name of contact>snmp 0 location <Location of device>4.2 Checking the SNMP enterprise values.Check the SNMP Enterprise number and name. Navigate to Configuration > System > General and check the miscellaneous section, the highlighted settings below should be as default:Figure 2: Enterprise number and name entryWhere <enterprise #> is the SNMP enterprise number and <enterpriseName> is the SNMP enterprise name specific to the installation.Please note: If the default enterprise number and name shown above is changed and it is intended to use the Sarian-Monitor MIB, the values in the Sarian-Monitor MIB file will also need changing to the details specific to the installation:sarian OBJECT IDENTIFIER ::= { enterprises 16378 }sarian-monitor OBJECT IDENTIFIER ::= { sarian 10000 }For example if using enterprise number 23134 and enterprise name digitransport change the above to: digitransport OBJECT IDENTIFIER ::= { enterprises 23134 }sarian-monitor OBJECT IDENTIFIER ::= { digitransport 10000 }Then save the file and reload into the SNMP management system.Please Note: If the enterprise number is changed, the Digi Transport will need to be rebooted for the new value to take effect.Please Note:Whenever the Enterprise name and Number are changed, these must be identical and consistent across all MIBs generated or loaded into the management system. If the values in either of the DIGI Transport MIBs correspond with other MIB values in the organisation, the responses received may not be correct when polling through the devices via the SNMP management system. Using the defaults above should not lead to any such conflicts.5.1Firmware Version 5212 or laterSince firmware version 5212, the MIB file is automatically generated and it can be directly downloaded from the device. Find below an example of downloading the MIB file for a WR21 via an FTP client:5.2Firmware Version up to 5202In older release (up to and including 5202) the MIB file needs to be manually generated following the steps described in this section.5.2.1Get the MIB data from the TransPortThe next step is to get the DIGI Transport to output the MIB data. Navigate to Administration - Execute a command page typ e ‘MIB print’ in the text box. Then click ‘Execute’.Figure 3: Mibprint exampleIf connected to a terminal session then the same command can simply be issued. At the command prompt (listed below):mibprintAn example of the output received from the web interface when the command has been input is listed below.Figure 4: Mibprint outputThere is a large output, this should then be copied into a text file, and saved into a folder for use in the next step.Please note:If using Firefox web browser this is done slightly differently. Right click on the frame containing the output select This frame → View Frame Source (as shown below), then copy and paste from the window that is opened.When pasting the output into a text file, make sure that the output retains its formatting with carriage returns <CR>. If the output is pasted and has wrapping enabled or is all on one line, the rest of this procedure will fail.Figure 5: How to save the output5.2.2Generating the MIB fileIn order to generate the MIB file from the text file, download the correct MIB.exe file from the DIGI website. This can be found at:/downloads/mibexePlease note: There are two versions of the MIB.exe file, MIB1exe.zip and MIB2.exe.zip.MIB1exe.zip should be used for firmware versions up to 4832MIB2exe.zip should be used for firmware releases after 4832There is included in each .zip file a copy of the Sarian-Monitor MIB file that should work for most DIGI Transport devices.When the zip is downloaded, extract it to the same folder where the text file is saved. Open the command prompt and browse to the folder containing the MIB2exe.exe file and the previously created text file. Use the MIB2exe.exe file to generate the .MIB file from the text file. The command is listed below:MIB2exe.exe <text file name>.txt <new MIB file name>.MIBWhere <text file name> is the name of the text file and <new MIB file> is the name of the .MIB file being created. In the example below both values are WR41. An example of the typical output for this can be seen below.Figure 6: Compile the MIBThis will have generated a .MIB file in the folder in which the MIB2exe.exe and the initial .txt file was stored. This can then be used with an SNMP client.Please note:The same device with a different firmware revision and/or different features enabled will need a different MIB file creating; this is due to additional features that may be available on different unit and the unique values attributed to firmware version, firmware build and model number that forms part of the initial MIB tree.In order to monitor the device with an SNMP client SNMP users need to be configured. Navigate to Configuration - Remote Management > SNMP > SNMP Users > SNMP User 0.The below example uses the community name: Public.Figure 7: Setup the community stringIf you want also to set some configuration setting, you need to set the SNMP user access as read and write as in the example above.Once this has been set, use a MIB client to poll the DIGI Transport device for required information. Usually in the MIB browser client you need to set the IP address of the TransPort and the community name:Below is a screenshot of the output of a get for the Device Identity settings that have been setup for this device.∙In the left hand pane, the tree that the MIB tool has built from the MIB that was generated above.∙In the middle pane, a query for OIDs related to SNMP configuration is performed and results are shown∙The results show what we have configured in previous sectionsFigure 8: Example reading an OID from TransPortThe MIB file can be also used to set a value for a specific OID with an SNMP SET, the example below shows how to change the SNMP name configured above.If also the SNMP user has been configured with read and write access, the SET will succeed:And performing another SNMP GET on this OID, the result will be the new value:7.1Configuration FileThis is the configuration used for the purpose of this Quick Note. The CLI commands relevant for the configuration of SNMP are highlighted:eth 0 IPaddr "192.168.1.1"addp 0 enable ONlapb 0 ans OFFlapb 0 tinact 120lapb 1 tinact 120lapb 3 dtemode 0lapb 4 dtemode 0lapb 5 dtemode 0lapb 6 dtemode 0ip 0 cidr ONdef_route 0 ll_ent "ppp"def_route 0 ll_add 1dhcp 0 IPmin "192.168.1.100"dhcp 0 respdelms 500dhcp 0 mask "255.255.255.0"dhcp 0 gateway "192.168.1.1"dhcp 0 DNS "192.168.1.1"sntp 0 server ""snmp 0 name "DIGI Transport Router SNMP Demo"snmp0contact"*********************"snmp 0 location "Munich, DE"snmpuser 0 eCommunity "CCp0VkxP"snmpuser 0 access "rw"ppp 0 timeout 300ppp 1 name "W-WAN"ppp 1 phonenum "*98*3#"ppp 1 username "username"ppp 1 epassword "KD5lSVJDVVg="ppp 1 IPaddr "0.0.0.0"ppp 1 timeout 0ppp 1 use_modem 1ppp 1 aodion 1ppp 1 autoassert 1ppp 1 r_chap OFFppp 3 defpak 16ppp 4 defpak 16web 0 prelogin_info ONweb 0 showgswiz ONftpcli 0 hostname ""ftpcli 0 directory "support/firmware/transport/MC7354_carrier_firmware"modemcc 0 info_asy_add 4modemcc 0 apn "none"modemcc 0 link_retries 30modemcc 0 stat_retries 30modemcc 0 sms_interval 1modemcc 0 sms_access 1modemcc 0 sms_concat 0modemcc 0 apn_2 "none"modemcc 0 link_retries_2 30modemcc 0 stat_retries_2 30modemcc 0 sms_interval_2 1 modemcc 0 sms_access_2 1 modemcc 0 sms_concat_2 0ana 0 l1on ONana 0 lapdon 0ana 0 asyon 1ana 0 logsize 45cmd 0 unitid "ss%s>"cmd 0 cmdnua "99"cmd 0 hostname "digi.router" cmd 0 asyled_mode 2cmd 0 tremto 1200cmd 0 rcihttp ONuser 0 access 0user 1 name "username"user 1 epassword "KD5lSVJDVVg=" user 1 access 0user 2 access 0user 3 access 0user 4 access 0user 5 access 0user 6 access 0user 7 access 0user 8 access 0user 9 access 0local 0 transaccess 2sslsvr 0 certfile "cert01.pem" sslsvr 0 keyfile "privrsa.pem" ssh 0 hostkey1 "privSSH.pem" ssh 0 nb_listen 5ssh 0 v1 OFFcloud 0 ssl ON7.2Hardware and FirmwareHere are the Firmware and Hardware details of the WR21 used in the testing of this QN: Digi TransPort WR21-L42B-DE1-XX Ser#:212303Software Build Ver5.2.11.4. Jun 5 2015 04:39:32 WWARM Bios Ver 7.42u v43 454MHz B987-M995-F80-O8140,0 MAC:00042d039f68 Async Driver Revision: 1.19 Int clkEthernet Port Isolate Driver Revision: 1.11Firewall Revision: 1.0EventEdit Revision: 1.0Timer Module Revision: 1.1(B)USBHOST Revision: 1.0L2TP Revision: 1.10PPTP Revision: 1.00TACPLUS Revision: 1.00MODBUS Revision: 0.00RealPort Revision: 0.00MultiTX Revision: 1.00LAPB Revision: 1.12X25 Layer Revision: 1.19MACRO Revision: 1.0PAD Revision: 1.4X25 Switch Revision: 1.7V120 Revision: 1.16TPAD Interface Revision: 1.12GPS Revision: 1.0TELITUPD Revision: 1.0SCRIBATSK Revision: 1.0BASTSK Revision: 1.0PYTHON Revision: 1.0CLOUDSMS Revision: 1.0TCP (HASH mode) Revision: 1.14TCP Utils Revision: 1.13PPP Revision: 5.2WEB Revision: 1.5SMTP Revision: 1.1FTP Client Revision: 1.5FTP Revision: 1.4IKE Revision: 1.0PollANS Revision: 1.2PPPOE Revision: 1.0BRIDGE Revision: 1.1MODEM CC (SIERRA LTE) Revision: 5.2FLASH Write Revision: 1.2Command Interpreter Revision: 1.38SSLCLI Revision: 1.0OSPF Revision: 1.0BGP Revision: 1.0QOS Revision: 1.0PWRCTRL Revision: 1.0RADIUS Client Revision: 1.0SSH Server Revision: 1.0SCP Revision: 1.0SSH Client Revision: 1.0CERT Revision: 1.0LowPrio Revision: 1.0Tunnel Revision: 1.2OVPN Revision: 1.2TEMPLOG Revision: 1.0 QDL Revision: 1.0。

Quick Note 038 Upgrade Software options and/or VPN Licenses on a Digi Transport router.November 20161 Introduction (2)1.1Assumptions (2)2 Version (2)3 Configuration (3)3.1Upload licence file to the router (3)3.1.1Upload license file via FTP (3)3.1.2Upload license file using the File Editor from the web GUI (5)3.1.3Upload license file via xmodem (7)3.2Verify license key installation (11)3.2.1Verify using the web GUI (11)3.2.2Verify using CLI (13)1.1AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi Transport router.This guide also assumes that a licence file has been received further to purchasing upgrade options from Digi. Please contact a Digi Sales Representative for further details on how to buy options for Digi Transport routers. This application note applies only to:Model: DIGI Transport WR41/44/21Firmware versions: 5.169 and laterPlease note: This application note has been specifically rewritten for firmware release 5.169 and later and will not work on earlier versions of firmware. Please contact ********************* if your require assistance in upgrading the firmware of the Transport router.3.1Upload licence file to the routerExample content of a license file:<digi_license><license number="1"><unit>213123</unit><option>WR21-SW-B1XE1</option><option>CTR_0_10</option><option>CTR_3_1</option><option>CTR_1_1</option><option>CTR_1_64</option></license><signature>13258bbbbaef4022e8091fa4b9d1eb2f123e991</signature></digi_license>3.1.1Upload license file via FTPOpen an FTP connection to the Transport router that you wish to update. In this example, using FileZilla.Transfer the file received (in .lic format) to the root directory of the TransportPlease note: It is important that the file name do not exceed the 8.3 file format and to keep the file type as the Transport router will be searching for any file name with a .lic extension to read the licence information. 3.1.1.1Reboot the routerAdministration – RebootOnce the file is uploaded, reboot the router.3.1.1.2Write configuration to flashAdministration – Save ConfigurationOnce the router is rebooted, navigate to the Save Configuration page and click Save AllAfter the success message, reboot the router once again.3.1.2Upload license file using the File Editor from the web GUIOpen the received license file with a text editor and copy the contentAdministration – File Management > File EditorPaste the content of the license file into the file editor box.Double click on the drop down menu, this will allow you to type the file name. Enter for example test.lic Please note: It is important that the file name do not exceed the 8.3 file format and to keep the file type as the Transport router will be searching for any file name with a .lic extension to read the license information.Click save file.3.1.2.1Reboot the routerAdministration - RebootReboot the router.3.1.2.2Write configuration to flashAdministration – Save ConfigurationOnce the router is rebooted, navigate to the Save Configuration page and click Save AllAfter the success message, reboot the router once again.3.1.3Upload license file via xmodemUse an xmodem compatible terminal application such as Tera Term (http://ttssh2.sourceforge.jp/) xmodem file upload can be done via either :- SSH- Telnet- Serial connectionIn this example, Telnet will be used.Open a Telnet connection to the routerPlease note: If using Serial, TransPort default serial port settings are 115 200 8N1 and no flow controlLog in using an account with access level SUPER and type xmodem test.lic (or the filename of the license file you received) to initiate xmodem file transfer.Please note: It is important that the file name do not exceed the 8.3 file format and to keep the file type as the Transport router will be searching for any file name with a .lic extension to read the license information.The router is now waiting for the program to send the file, navigate to File>Transfer>Xmodem>Send and select the license fileSelect the license file and click Open. A file upload box will appear, when upload is complete, it will close automatically.If the file transfer was successful, the router should display an “OK” message. To verify that the file is on the router, send the command: type test.lic it will show the content of the file.3.1.3.1Reboot the routerTo reboot the router, send the command: reboot now3.1.3.2Write configuration to flashOnce the router is rebooted, send the command: config 0 saveall After ok message, reboot the router once again.3.2Verify license key installation.Verify the license key installation for the 3 following options :- WR41/44 IPsec tunnels upgrade- WR21 upgrade from Basic to Enterprise- WR41 encryption upgrade3.2.1Verify using the web GUI3.2.1.1IPsec Tunnels upgradeConfiguration – Network > Virtual Private Networking (VPN) > IPsec > IPsec TunnelsIn this example, the TransPort router has been upgraded to 50 IPsec tunnels (PN: WR-SW-5T50). The new IPsec tunnels are now available in the web interface.3.2.1.2WR21 Basic to EnterpriseConfiguration – NetworkIn this example, the Transport router was converted from Basic to Enterprise (PN: WR21-SW-B1XE1). The Virtual Private Networking menu is now available in the web interface.3.2.1.3WR41, No encryption to with encryptionConfiguration – Network > Virtual Private Network (VPN) > IPsec > IPsec Tunnels > IPsec 0-9 > IPsec 0In this example, the Transport router was upgraded with encryption (PN: WR41-SW-A1XV1). The tunnel encryptions options are now available in the web interface.3.2.2Verify using CLI3.2.2.1IPsec Tunnels upgradeSend the following command: eroute ? (if the command result still shows : EROUTE <0…4> (5 tunnels by default) the upgrade was not successful)3.2.2.2WR21 Basic to EnterpriseSend the following command: ati5 . The part number of the WR21 will show the Enterprise upgrade:- WR21-XXXX-X B X-XX : Basic- WR21-XXXX-X E X-XX : Enterprise- The following command: eroute ? Can also be used to verify that the IPsec tunnels are now available. (if ERROR is received, the upgrade was not successful)3.2.2.3WR41, No encryption to with encryption- Sent the following command :o eroute 0 espenc ? (check the current encryption on IPsec tunnel 0)o eroute 0 espenc null (set the encryption on IPsec tunnel 0 to none)o eroute 0 espenc des (set the encryption on IPsec tunnel 0 to DES)o eroute 0 espenc aes (set the encryption on IPsec tunnel 0 to AES) This command will show an OK result. The encryption upgrade was successful.If the upgrade was not successful, an ERROR result will be shown after each command.。

Quick Note 24 Extracting the debug.txt file from a TransPortDigi Technical SupportFebruary 20161Introduction (3)2Version (4)3FTP method (5)3.1FTP Using FileZilla FTP Client (5)3.2FTP using Firefox web browser (5)3.3FTP Using Internet Explorer web browser (6)4HTTP (WEB interface) method (8)4.1Using Directory Listings (8)5Using “Execute a command” (9)6Using Windows Telnet CLIENT (10)7Using PuTTY (14)The debug.txt output is particularly useful because it collates technical and configuration information about the router in a single file or output stream. Digi technical support will frequently request thisfile/output to aid in troubleshooting.If the debug.txt file is not present, then it will not be possible to extract the file; the TransPort firmware may need to be updated.This guide details the different methods and steps involved in extracting the debug.txt file from a TransPort.The HTTP (web interface) method is generally recommended, as it only requires a web browser. In case the TransPort’s web interface is inaccessible, alternative methods, su ch as FTP and Telnet, are offered. NOTE: Local Ethernet IP addresses are used in these example s. Depending on the TransPort’s configuration, the mobile IP address can also be used.3.1FTP Using FileZilla FTP ClientMake an FTP connection to the TransPort and “drag” the debug.txt file to the PC’s hard drive.3.2FTP using Firefox web browserMake an FTP connection by typing the IP address of the TransPort prefixed with “ftp://”,for example, ftp://192.168.1.1 (the default Ethernet IP address is used here)Enter the login details for the TransPort and click “OK”.Right click the “debug.txt” file, click “Save Link As”, and then save the file somewhere convenient.3.3FTP Using Internet Explorer web browserMake an FTP connection by typing the IP address of the TransPort prefixed with “ftp://”, for example, ftp://192.168.1.1 (the default Ethernet IP address is used here)Enter the login details for the TransPort and click “Log on”.Right click the “debug.txt” file, click “Save target as”, and then save the file somewhere convenient.4.1Using Directory ListingsFrom the TransPort web interface, navigate to Administration - File Management > FLASH DirectoryRight click the “debug.txt” file, click “Save link as”, and then save the file somewhere convenient. NOTE: The Chrome web browser is used in this example. In other browsers, the menu option may be slightly different. For example, Internet Explorer says “Save target as”.From the TransPort web interface, navigate to Administration - Execute a commandEnter the following command:type debug.txtClick the ‘Execute’ button.Wait a few seconds for the data to populate below.Look for “[ENDCFG]” and then “OK” at the very bottom to confirm that no data is missing.Copy and paste the data in a text editor such as Microsoft Notepad.NOTE:The debug.txt file is quite large, so it may be necessary to increase the scroll back buffer in telnet to make it large enough to capture the full file.Do this as follows:Click on the C:\ icon and select “Properties”.Next click “Layout” and set the Screen Buffer Size Height to its maximum.C lick “OK”.Next, Telnet to the TransPort’s IP address.Enter the username and password when prompted.Once connected, issue the following command:type debug.txtThis is a small excerpt from the output, which will be a large file.To copy the file, right-click on the page and select “Mark” from the drop-down menu then starting at the bottom of the page highlight the text and hit “enter”.Paste the data in a text editor such as Microsoft Notepad.PuTTY.exe is a free terminal emulator that can be used to Telnet or SSH to a TransPort to obtain the debug.txt file.Setup PuTTY to log “all session output”and specify a location (“c:\” for example) to save the log file:Input the IP address of the TransPort, select either Telnet or SSH, and then click “Open”:Type “type debug.txt” then hit Enter:The “[ENDCFG]” and “OK” entries confirm that no data is missing:PuTTY may now be closed. The resulting putty.log file should contain the debug.txt output.。

Application Note 37 GRE over IPSEC with a Cisco RouterSeptember 20201Introduction (3)1.1Outline (3)1.2Assumptions (3)1.3Corrections (4)1.4Version (4)2Configuration (5)2.1Configuration of PPP 1 (5)2.2Configuration of IKE (5)2.3Configuring the Eroute (7)2.4Configuration of TUN 0 (9)2.5Configuration of route 0 (10)3Testing (11)3.1Checking the IPSEC tunnel (11)3.2Check the routing table (12)3.3Check the Statistics on TUN 0 (12)3.4Ping Check from the TransPort router to remote (13)4Configuration Files (13)4.1TransPort router Configuration Files (13)4.2TransPort router Firmware Versions (14)4.3Configuration Files from other devices (15)4.4Firmware\Hardware Information from other devices (16)1.1OutlineThis document describes how to configure the TransPort router to establish a GRE tunnel connection to a Cisco router with IPSEC encryption. This solution would be used in a situation where a routing protocol such as OSPF is required as the GRE tunnel will be used to route the multicast packets. An IPSec tunnel secures the traffic between the 2 routers.1.2AssumptionsThis guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product, and of the requirements for their specific application.Configuration: This application note assumes that the WR41 will be connecting to a cellular network (i.e. GPRS, EDGE, 3G, HSDPA or HSUPA).This application note applies to;Models shown: Digi Transport WR41Other Compatible Models: All other Digi Transport products.Firmware versions: All Versions newer than 5130Please note: This application note has been specifically rewritten for firmware release 5.123 and later but the original application note was testing and working for routers running earlier firmware and the previous GUI. Routers running earlier firmware will find that the screen shots do not accurately reflect what will be seen on those older routers.Configuration: This Application Note assumes the devices are set to their factory default configurations. Most configuration commands are only shown if they differ from the factory default.It is assumed in this document that the TransPort router already has a working internet connection. 1.3CorrectionsRequests for corrections or amendments to this application note are welcome and should be addressed to: *********************Requests for new application notes can be sent to the same address.1.4Version2.1Configuration of PPP 1This section will detail the changes needed to be made to PPP 1, it is assumed that the TransPort router has already been configured with a working internet connection on PPP 1.Navigate to:Configuration - Network > Interfaces > Advanced > PPP 0 - 9 > PPP 1Enable IPsec on this interface2.2Configuration of IKEThis section will detail the changes needed to be made to IKE.These settings are the equivalent of the Cisco Crypto configuration, configure the Cisco accordingly.Navigate to:Configuration - Network > Virtual Private Networking (VPN) > IPsec > IKE > IKE 02.3Configuring the ErouteThis section covers configuring the Eroute used to encrypt the GRE packets.These settings are the equivalent of the Cisco Crypto configuration, configure the Cisco accordingly.Navigate to:Configuration - Network > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels > IPsec 0This section shows the changes the GRE Tunnel interface configuration.These settings are the equivalent of the Cisco Loopback interface configuration, configure the Cisco accordingly.Navigate to:Configuration - Network > Interfaces > GRE > Tunnel 0This section shows the changes needed to be made to the routing table. This is so the router knows to route the traffic to the remote network over the GRE tunnel. A static route back to the WR41’s LAN will need adding to the Cisco.Navigate to:Configuration - Network > IP Routing/Forwarding > Static Routes > Route 0After clicking Apply, follow the link that appears and save the configuration to flash.3.1Checking the IPSEC tunnelFirstly check the IPSEC tunnel has come up on the TransPort router.Navigate to:Management - Connections > Virtual Private Networking (VPN) > IPsec > IPsec Tunnels The output should look similar to this below:3.2Check the routing tableThis stage will show the output of the routing table, either use a serial or Telnet connection, or alternatively from the Web interface navigate to Administration - Execute a command and do the following:Type route print then press enter, the output should look like the following:route print------------------------------------------------------------Interface Addresses:--------------------PPP 1: 10.171.173.217ETH 0: 10.49.206.1TUN 0: 172.16.2.2Routes:-------# IP Address Mask Metric Interface GatewayDynamic Routes:10.49.206.1 255.255.255.0 1 ETH 0172.16.2.2 255.255.255.252 1 TUN 0Static Routes:1: 10.5.0.0 255.255.255.0 1 TUN 0Default Routes:0: 0.0.0.0 0.0.0.0 1 PPP 1------------------------------------------------------------3.3Check the Statistics on TUN 0Use a serial or Telnet connection, or alternatively from the Web interface navigate to Administration - Execute a command and do the following:Type tunstat 0 then press enter, the output should look like the following:tunstat 0Tun 0 stats:Admin Status UpOper Status UpIP Address 172.16.2.2Mask 255.255.255.252Source 4.4.4.1Destination 3.3.3.1Tx Packets 155646Tx Bytes 7471008Tx Errors 0Tx Discards 0Rx Packets 0Rx Bytes 0Rx Errors 0Rx Unknown Protocols 0Keepalives Sent 155Keepalives Rcvd 153OK3.4Ping Check from the TransPort router to remoteThis stage will send a ping packet over the tunnel, either use a serial or Telnet connection, or alternatively from the Web interface navigate to Administration - Execute a command and do the following:Type ping 10.5.0.1 –e0 then press enter, the output should look like the following:Ping 10.5.0.1 –e0Pinging Addr [10.5.0.1]sent PING # 1PING receipt # 1 : response time 0.17 secondsIface: TUN 0Ping StatisticsSent : 1Received : 1Success : 100 %Average RTT : 0.17 secondsOK4.1TransPort router Configuration FilesThis is the configuration file from the TransPort router:eth 0 IPaddr "10.49.206.1"route 0 IPaddr "10.5.0.0"route 0 ll_ent "tun"def_route 0 ll_ent "ppp"def_route 0 ll_add 1eroute 0 peerip "217.24.123.25"eroute 0 peerid "cisco"eroute 0 ourid "wr41"eroute 0 ouridtype 1eroute 0 locip "4.4.4.1"eroute 0 locmsk "255.255.255.255"eroute 0 remip "3.3.3.1"eroute 0 remmsk "255.255.255.255"eroute 0 ESPauth "MD5"eroute 0 ESPenc "DES"eroute 0 ltime 8000eroute 0 lkbytes 0eroute 0 authmeth "PRESHARED"eroute 0 nosa "TRY"eroute 0 autosa 1dpd 0 okint 120dpd 0 failint 5dpd 0 inact 60dpd 0 maxfail 3ppp 0 timeout 300ppp 1 r_chap OFFppp 1 IPaddr "0.0.0.0"ppp 1 phonenum "*98*1#"ppp 1 timeout 0ppp 1 use_modem 1ppp 1 aodion 1ppp 1 autoassert 1ppp 1 ipsec 1ppp 1 ipanon ONppp 3 defpak 16ppp 4 defpak 16ike 0 aggressive ONmodemcc 0 info_asy_add 5modemcc 0 init_str "+CGQREQ=1,0,0,0,0,0"modemcc 0 init_str1 "+CGQMIN=1,0,0,0,0,0"modemcc 0 apn "internet"modemcc 0 link_retries 10modemcc 0 stat_retries 30modemcc 0 sms_interval 1modemcc 0 sms_access 1modemcc 0 sms_concat 0modemcc 0 init_str_2 "+CGQREQ=1,0,0,0,0,0"modemcc 0 init_str1_2 "+CGQMIN=1,0,0,0,0,0"modemcc 0 apn_2 "Your.APN.goes.here"modemcc 0 link_retries_2 10modemcc 0 stat_retries_2 30modemcc 1 link_retries 10cmd 0 unitid "ss%s>"cmd 0 cmdnua "99"cmd 0 hostname "ss.2000r"cmd 0 tremto 3000cmd 1 gpson 1cmd 3 cfilton 1user 0 name "Sarian"user 0 epassword "EA0iCxQc"user 0 access 0user 1 name "username"user 1 epassword "KD5lSVJDVVg="user 1 access 0user 8 name "cisco"user 8 epassword "NDpiV0BFSQ=="local 0 transaccess 2scep 0 app "pkiclient.exe"tun 0 IPaddr "172.16.2.2"tun 0 mask "255.255.255.252"tun 0 source "4.4.4.1"tun 0 dest "3.3.3.1"tun 0 kadelay 10tun 0 descr "Tunnel to Cisco"4.2TransPort router Firmware VersionsThis is the firmware \ hardware information from the TransPort router:Digi TransPort WR41 HSDPA/3G Router Ser#:56691 HW Revision: 4405a Software Build Ver5130. Apr 04 2007 11:15:57 YWARM Bios Ver 6.06 v31 200MHz B64-M64-F80-O100,0 MAC:00042d00dd73 Power Up Profile: 0Async Driver Revision: 1.19 Int clkEthernet Driver Revision: 1.11Firewall Revision: 1.0EventEdit Revision: 1.0SHIM Revision: 1.0Timer Module Revision: 1.1L2TP Revision: 1.10LAPB Revision: 1.12X25 Layer Revision: 1.19MACRO Revision: 1.0PAD Revision: 1.4V120 Revision: 1.16TPAD Interface Revision: 1.12GPS Revision: 1.0ARM Sync Driver Revision: 1.18TCP Revision: 1.14TCP Utils Revision: 1.13PPP Revision: 1.18WEB Revision: 1.5SMTP Revision: 1.1FTP Client Revision: 1.5FTP Revision: 1.4IKE Revision: 1.0PollANS Revision: 1.2PPPOE Revision: 1.0MODEM CC (Novatel 3G) Revision: 1.3FLASH Write Revision: 1.2Command Interpreter Revision: 1.38SSLCLI Revision: 1.0OSPF Revision: 1.0BGP Revision: 1.0QOS Revision: 1.0RADIUS Client Revision: 1.0SSH Server Revision: 1.0SCP Revision: 1.0CERT Revision: 1.0LowPrio Revision: 1.0Tunnel Revision: 1.1OK4.3Configuration Files from other devicesCurrent configuration : 1895 bytes!hostname cisco!!username wr41 password 0 XXXX!aaa new-model!!aaa authentication login userlist group radius localaaa authorization network grouplist group radius localaaa session-id commonip subnet-zero!no ip domain lookup!crypto isakmp policy 1hash md5authentication pre-sharecrypto isakmp key letmein hostname wr41crypto isakmp identity hostname!crypto ipsec security-association lifetime seconds 86400!crypto ipsec transform-set my_enc_config esp-des esp-md5-hmac !crypto dynamic-map mydynmap 1set transform-set my_enc_config!crypto map mymap1 20 ipsec-isakmp dynamic mydynmap!interface Loopback3ip address 3.3.3.1 255.255.255.255!interface Tunnel0ip address 172.16.2.1 255.255.255.252ip ospf mtu-ignoretunnel source Loopback3tunnel destination 4.4.4.1!interface Ethernet0ip address 10.5.0.1 255.255.255.0full-duplex!interface FastEthernet0ip address 217.24.123.25 255.255.255.240speed autocrypto map mymap1!ip classlessip route 0.0.0.0 0.0.0.0 217.24.123.29ip route 4.4.4.1 255.255.255.255 FastEthernet0ip route 10.49.206.0 255.255.255.0 Tunnel0!radius-server authorization permit missing Service-Type!4.4Firmware\Hardware Information from other devicescisco 1720 (MPC860T) processor (revision 0x501) with 41780K/7372K bytes of memory. IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)Tc1700-k9sy7-mz.122-15.T.bin。