Line 1,045: |
Line 1,045: |
| </table> | | </table> |
| | | |
− | ==DMVPN==
| + | {{#ifeq:{{{series}}}|RUT2xx||{{Template:Networking_rutxxx_manual_vpn_dmvpn |
− | | + | | file_dmvpn_config = {{{file_dmvpn_config}}} |
− | <b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a method of building scalable IPsec VPNs. DMVPN is configured as a hub-and-spoke network, where tunnels between spokes are built dynamically; therefore, no change in configuration is required on the hub in order to connect new spokes.
| + | | file_dmvpn_gre_config = {{{file_dmvpn_gre_config}}} |
− | | + | | file_dmvpn_ipsec_config = {{{file_dmvpn_ipsec_config}}} |
− | ===DMVPN configuration===
| + | | file_dmvpn_nhrp_config = {{{file_dmvpn_nhrp_config}}} |
− | ----
| + | }}}} |
− | To create a new DMVPN instance, go to the <i>Services → VPN → DMVPN</i> section, enter a custom name and click the 'Add' button. A DMVPN instance with the given name will appear in the "DMVPN Configuration" list.
| |
− | | |
− | To begin configuration, click the 'Edit' button located next to the instance. Refer to the figures and tables below for information on the DMVPN instance configuration:
| |
− | | |
− | [[File:{{{file_dmvpn_config}}}]]
| |
− | | |
− | <table class="nd-mantable">
| |
− | <tr>
| |
− | <th>Field</th>
| |
− | <th>Value</th>
| |
− | <th>Description</th>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Enabled</td>
| |
− | <td>yes | no; default: <b>no</b></td>
| |
− | <td>Turns the DMVPN instance on or off.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Working mode</td>
| |
− | <td>Spoke | Hub; default: <b>Spoke</b></td>
| |
− | <td>Selects the role of this instance
| |
− | <ul>
| |
− | <li><b>Hub</b> - the central instance of DMVPN that connects other peers (spokes) into single network. There is no need to reconfigure the hub when connecting new spokes to it.</li>
| |
− | <li><b>Spoke</b> - an instance that connects to the hub.</li>
| |
− | </ul>
| |
− | </td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Hub address</td>
| |
− | <td>ip | host; default: <b>off</b></td>
| |
− | <td>IP address or hostname of a DMVPN hub.</td>
| |
− | </tr>
| |
− | </table>
| |
− | <br>
| |
− | ----
| |
− | [[File:{{{file_dmvpn_gre_config}}}]]
| |
− | | |
− | <table class="nd-mantable">
| |
− | <tr>
| |
− | <th>Field</th>
| |
− | <th>Value</th>
| |
− | <th>Description</th>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Tunnel source</td>
| |
− | <td>network interface; default: <b>none</b></td>
| |
− | <td>Network interface used to establish the GRE Tunnel.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Local GRE interface IP address</td>
| |
− | <td>ip; default: <b>none</b></td>
| |
− | <td>IP address of the local GRE Tunnel network interface.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td><span style="color: red;">Spoke:</span> Remote GRE interface IP address</td>
| |
− | <td>ip; default: <b>none</b></td>
| |
− | <td>IP address of the remote GRE Tunnel instance.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td><span style="color: purple;">Hub:</span> Local GRE interface netmask</td>
| |
− | <td>netmask; default: <b>none</b></td>
| |
− | <td>Subnet mask of the local GRE Tunnel network interface.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>GRE MTU</td>
| |
− | <td>integer; default: <b>1476</b></td>
| |
− | <td>Sets the maximum transmission unit (MTU) size. It is the largest size of a protocol data unit (PDU) that can be transmitted in a single network layer transaction.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>GRE keys</td>
| |
− | <td>integer [0..65535]; default: <b>none</b></td>
| |
− | <td>A key used to identify incoming and outgoing GRE packets.</td>
| |
− | </tr>
| |
− | </table>
| |
− | <br>
| |
− | ----
| |
− | [[File:{{{file_dmvpn_ipsec_config}}}]]
| |
− | | |
− | <table class="nd-mantable">
| |
− | <tr>
| |
− | <th>Field</th>
| |
− | <th>Value</th>
| |
− | <th>Description</th>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Negotiation mode</td>
| |
− | <td>Main | Aggressive; default: <b>Main</b></td>
| |
− | <td>Internet Security and Key Management Protocol (ISAKMP) phase 1 exchange mode.
| |
− | <ul>
| |
− | <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li>
| |
− | <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode.</li>
| |
− | </ul>
| |
− | </td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>My identifier type</td>
| |
− | <td>FQDN | User FQDN | Address; default: <b>FQDN</b></td>
| |
− | <td>Defines the type of identity used in user (IPsec instance) authentication.
| |
− | <ul>
| |
− | <li><b>FQDN</b> - identity defined by fully qualified domain name. It is the complete domain name for a host (for example, <i>something.somedomain.com</i>). Only supported with IKEv2.</li>
| |
− | <li><b>User FQDN</b> - identity defined by fully qualified username string (for example, <i>[email protected]</i>). Only supported with IKEv2.</li> | |
− | <li><b>Address</b> - identity by IP address.</li>
| |
− | </ul>
| |
− | </td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>My identifier</td>
| |
− | <td>ip | string; default: <b>none</b></td>
| |
− | <td>Defines how the user (IPsec instance) will be identified during authentication.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Encryption algorithm</td>
| |
− | <td>DES | 3DES | AES128 | AES192 | AES256; default: <b>3DES</b></td>
| |
− | <td>Algorithm used for data encryption.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Authentication/Hash algorithm</td>
| |
− | <td>MD5 | SHA1 | SHA256 | SHA384 | SHA512; default: <b>SHA1</b></td>
| |
− | <td>Algorithm used for exchanging authentication and hash information.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>DH group/PFS group</td>
| |
− | <td>MODP768 | MODP1024 | MODP1536 | MODP2048 | MODP3072 | MODP4096; default: <b>MODP1536</b></td>
| |
− | <td></td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Lifetime</td>
| |
− | <td>integer; default: <b>8 hours</b></td>
| |
− | <td>Defines a time period after which the phase will re-initiate its exchange of information.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Pre shared key</td>
| |
− | <td>string; default: <b>none</b></td>
| |
− | <td>A shared password used for authentication between IPsec peers.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Secret's ID selector</td>
| |
− | <td>string; default: <b>none</b></td>
| |
− | <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any.<br><b>NOTE</b>: IKEv1 only supports IP address ID selector.</td>
| |
− | </tr>
| |
− | </table>
| |
− | <br>
| |
− | ----
| |
− | [[File:{{{file_dmvpn_nhrp_config}}}]]
| |
− | | |
− | <table class="nd-mantable">
| |
− | <tr>
| |
− | <th>Field</th>
| |
− | <th>Value</th>
| |
− | <th>Description</th>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>NHRP network ID</td>
| |
− | <td>integer; default: <b>1</b></td>
| |
− | <td>An identifier used to define the NHRP domain. This is a local parameter and its value does not need to match the values specified on other domains. However, the NHRP ID is added to packets which arrive on the GRE interface; therefore, it may be helpful to use the same ID for troubleshooting purposes.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>NHRP hold time</td>
| |
− | <td>integer; default: <b>7200</b></td>
| |
− | <td>Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The hold time is specified in seconds and defaults to two hours.</td>
| |
− | </tr>
| |
− | </table>
| |
| | | |
| [[Category:{{{name}}} WebUI]] | | [[Category:{{{name}}} WebUI]] |