Line 724: |
Line 724: |
| The <b>general settings</b> section is used to configure the main IPsec parameters. Refer to the figure and table below for information on the configuration fields located in the general settings section. | | The <b>general settings</b> section is used to configure the main IPsec parameters. Refer to the figure and table below for information on the configuration fields located in the general settings section. |
| | | |
− | [[File:Networking_rutos_vpn_ipsec_ipsec_instance_general_settings.png|border|class=tlt-border]] | + | [[File:Networking_rutos_vpn_ipsec_ipsec_instance_general_settings_v1.png|border|class=tlt-border]] |
| | | |
| <table class="nd-mantable"> | | <table class="nd-mantable"> |
Line 744: |
Line 744: |
| <tr> | | <tr> |
| <td>Authentication method</td> | | <td>Authentication method</td> |
− | <td>Pre-shared key {{!}} X.509; default: <b>Pre-shared key</b></td> | + | <td>Pre-shared key {{!}} <span style="color:darkred">X.509 {{!}} EAP</span> {{!}} <span style="color:blue">PKCS#12</span>; default: <b>Pre-shared key</b></td> |
| <td>Specify authentication method. Choose between Pre-shared key and X.509 certificates.</td> | | <td>Specify authentication method. Choose between Pre-shared key and X.509 certificates.</td> |
| + | </tr> |
| + | <tr> |
| + | <td><span style="color:blue">PKCS#12:</span> PKCS12 container</td> |
| + | <td>string; default: <b>none</b></td> |
| + | <td></td> |
| + | </tr> |
| + | <tr> |
| + | <td><span style="color:blue">PKCS#12:</span> PKCS12 decryption passphrase</td> |
| + | <td>string; default: <b>none</b></td> |
| + | <td></td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
Line 758: |
Line 768: |
| </tr> --> | | </tr> --> |
| <tr> | | <tr> |
− | <td><span style="color:darkred">X.509:</span> Key</td> | + | <td><span style="color:darkred">X.509: {{!}} EAP:</span> Key</td> |
| <td>A private key file; default: <b>none</b></td> | | <td>A private key file; default: <b>none</b></td> |
| <td>A private key file.</td> | | <td>A private key file.</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
− | <td><span style="color:darkred">X.509:</span> Key decryption passphrase</td> | + | <td><span style="color:darkred">X.509: {{!}} EAP:</span> Key decryption passphrase</td> |
| <td>A password for private key files; default: <b>none</b></td> | | <td>A password for private key files; default: <b>none</b></td> |
| <td>If the private key file is encrypted, the passphrase must be defined.</td> | | <td>If the private key file is encrypted, the passphrase must be defined.</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
− | <td><span style="color:darkred">X.509:</span> Local Certificate</td> | + | <td><span style="color:darkred">X.509: {{!}} EAP:</span> Local Certificate</td> |
| <td>.der file; default: <b>none</b></td> | | <td>.der file; default: <b>none</b></td> |
| <td>A local certificate file.</td> | | <td>A local certificate file.</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
− | <td><span style="color:darkred">X.509:</span> CA Certificate</td> | + | <td><span style="color:darkred">X.509: {{!}} EAP:</span> CA Certificate</td> |
| <td>.der file; default: <b>none</b></td> | | <td>.der file; default: <b>none</b></td> |
| <td>A certificate authority file.</td> | | <td>A certificate authority file.</td> |
Line 809: |
Line 819: |
| <ul> | | <ul> |
| <li>Chocolate for <span style="color: chocolate;">Authentication method: Pre-shared key</span></li> | | <li>Chocolate for <span style="color: chocolate;">Authentication method: Pre-shared key</span></li> |
− | <li>Dark red for <span style="color: darkred;">Authentication method: X.509</span></li> | + | <li>Dark red for <span style="color: darkred;">Authentication method: X.509/EAP</span></li> |
| + | <li>Blue for <span style="color: blue;">Authentication method: PKCS#12</span></li> |
| </ul> | | </ul> |
| </li> | | </li> |
Line 829: |
Line 840: |
| <td>ID Selector</td> | | <td>ID Selector</td> |
| <td>%any, IP or FQDN; default: <b>none</b></td> | | <td>%any, IP or FQDN; default: <b>none</b></td> |
− | <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any. When using IKEv1 use IP address.</br><b>NOTE:</b> IKEv1 only supports IP address ID selector.</td> | + | <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any. When using IKEv1 use IP address. <b>NOTE:</b> IKEv1 only supports IP address ID selector.</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
| <td>Type</td> | | <td>Type</td> |
− | <td>psk {{!}} xauth; default: <b>psk</b></td> | + | <td>PSK {{!}} XAUTH {{!}} EAP {{!}} <span style="color:darkred">RSA</span> {{!}} <span style="color:darkred">PKCS#12</span>; default: <b>PSK</b></td> |
− | <td>IPSec secret type.</br><b>NOTE:</b> XAUTH secrets are IKEv1 only.</td> | + | <td>IPSec secret type. <b>NOTE:</b> XAUTH secrets are IKEv1 only.</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
Line 842: |
Line 853: |
| </tr> | | </tr> |
| <tr> | | <tr> |
− | <td><span style="color:darkred">RSA</span> Secret</td> | + | <td><span style="color:darkred">RSA {{!}} PKCS#12:</span> Secret</td> |
| <td>Private key file; default: <b>none</b></td> | | <td>Private key file; default: <b>none</b></td> |
| <td>A private key file.</td> | | <td>A private key file.</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
− | <td><span style="color:darkred">RSA</span> Key decryption passphrase</td> | + | <td><span style="color:darkred">RSA {{!}} PKCS#12:</span> Key decryption passphrase</td> |
| <td>A password for private key files; default: <b>none</b></td> | | <td>A password for private key files; default: <b>none</b></td> |
| <td>If the private key file is encrypted, the passphrase must be defined.</td> | | <td>If the private key file is encrypted, the passphrase must be defined.</td> |
− | </tr>
| |
− | </table>
| |
− |
| |
− | ====Advanced Settings====
| |
− | ----
| |
− |
| |
− | The <b>Advanced settings</b> section is only visible when <b>X.509</b> is selected as Authentication method.
| |
− |
| |
− | [[File:Networking_rutos_vpn_ipsec_ipsec_instance_advanced_settings.png|border|class=tlt-border]]
| |
− |
| |
− | <table class="nd-mantable">
| |
− | <tr>
| |
− | <th>Field</th>
| |
− | <th>Value</th>
| |
− | <th>Description</th>
| |
− | </tr>
| |
− | <!-- removed on 7.0, to return on 7.1 <tr>
| |
− | <td>Certificate files from device</td>
| |
− | <td>off | on; default: <b>off</b></td>
| |
− | <td>Uses certificate file generated on this device instead of uploading. (You can generate certificates within this device via the System → Administration → [[{{{name}}}_Administration#Certificates|Certificates]] page.)</td>
| |
− | </tr> -->
| |
− | <tr>
| |
− | <td>Remote Certificate</td>
| |
− | <td>.crt file; default: <b>none</b></td>
| |
− | <td>Selects a certificate file from a computer.</td>
| |
| </tr> | | </tr> |
| </table> | | </table> |
Line 886: |
Line 872: |
| ---- | | ---- |
| | | |
− | [[File:Networking rutos vpn ipsec connection settings general settings v2.png|border|class=tlt-border]] | + | [[File:Networking rutos vpn ipsec connection settings general settings v3.png|border|class=tlt-border]] |
| | | |
| <table class="nd-mantable"> | | <table class="nd-mantable"> |
Line 958: |
Line 944: |
| ====Advanced settings==== | | ====Advanced settings==== |
| ---- | | ---- |
− | [[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings_v2.png|border|class=tlt-border]] | + | [[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings_v3.png|border|class=tlt-border]] |
| | | |
| <table class="nd-mantable"> | | <table class="nd-mantable"> |