Jump to content

Template:Networking rut manual vpn: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 707: Line 707:
===Pre-shared keys===
===Pre-shared keys===
----
----
A <b>pre-shared key</b> is a secret password used for authentication between IPsec peers before a secure tunnel is established. To create a new key, click the 'Add' button.
The figure below is an example of the Pre-shared keys section and the table below provides information on configuration fields contained in that section:


[[File:{{{file_ipsec_psk}}}]]
[[File:{{{file_ipsec_psk}}}]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
    <td>Pre shared key</td>
        <td>string; default: <b>none</b></td>
        <td>A shared password used for authentication between IPsec peers.</td>
    </tr>
    <tr>
    <td>Secret's ID selector</td>
        <td>string; default: <b>none</b></td>
        <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any.<br><b>NOTE</b>: IKEv1 only supports IP address ID selector.</td>
    </tr>
</table>


==GRE Tunnel==
==GRE Tunnel==
Line 756: Line 777:
     <td>Outbound key</td>
     <td>Outbound key</td>
         <td>integer [0..65535]; default: <b>none</b></td>
         <td>integer [0..65535]; default: <b>none</b></td>
         <td>Key for outgoing packets. This value should match the "Inbound key" value set on the opposite GRE instance or both key values should be omitted on both sides.</td>
         <td>A key used to identify outgoing packets. A This value should match the "Inbound key" value set on the opposite GRE instance or both key values should be omitted on both sides.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Inbound key</td>
     <td>Inbound key</td>
         <td>integer [0..65535]; default: <b>none</b></td>
         <td>integer [0..65535]; default: <b>none</b></td>
         <td>Key for incoming packets. This value should match the "Outbound key" value set on the opposite GRE instance or both key values should be omitted on both sides.</td>
         <td>A key used to identify incoming packets. This value should match the "Outbound key" value set on the opposite GRE instance or both key values should be omitted on both sides.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 1,021: Line 1,042:
       <td>ip; default: <b>none</b></td>
       <td>ip; default: <b>none</b></td>
       <td>Assigns an IP address to the client that uses the adjacent authentication info. This field is optional and if left empty the client will simply receive an IP address from the IP pool defined above.</td>
       <td>Assigns an IP address to the client that uses the adjacent authentication info. This field is optional and if left empty the client will simply receive an IP address from the IP pool defined above.</td>
    </tr>
</table>
==DMVPN==
<b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a method of building scalable IPsec VPNs. DMVPN is configured as a hub-and-spoke network, where tunnels between spokes are built dynamically; therefore, no change in configuration is required on the hub in order to connect new spokes.
===DMVPN configuration===
----
To create a new DMVPN instance, go to the <i>Services → VPN → DMVPN</i> section, enter a custom name and click the 'Add' button. A DMVPN instance with the given name will appear in the "DMVPN Configuration" list.
To begin configuration, click the 'Edit' button located next to the instance. Refer to the figures and tables below for information on the DMVPN instance configuration:
[[File:{{{file_dmvpn_config}}}]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>Enabled</td>
      <td>yes | no; default: <b>no</b></td>
      <td>Turns the DMVPN instance on or off.</td>
    </tr>
    <tr>
      <td>Working mode</td>
      <td>Spoke | Hub; default: <b>Spoke</b></td>
      <td>Selects the role of this instance
            <ul>
                <li><b>Hub</b> - the central instance of DMVPN that connects other peers (spokes) into single network. There is no need to reconfigure the hub when connecting new spokes to it.</li>
                <li><b>Spoke</b> - an instance that connects to the hub.</li>
            </ul>
        </td>
    </tr>
    <tr>
      <td>Hub address</td>
      <td>ip | host; default: <b>off</b></td>
      <td>IP address or hostname of a DMVPN hub.</td>
    </tr>
</table>
<br>
----
[[File:{{{file_dmvpn_gre_config}}}]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>Tunnel source</td>
      <td>network interface; default: <b>none</b></td>
      <td>Network interface used to establish the GRE Tunnel.</td>
    </tr>
    <tr>
    <td>Local GRE interface IP address</td>
        <td>ip; default: <b>none</b></td>
        <td>IP address of the local GRE Tunnel network interface.</td>
    </tr>
    <tr>
      <td><span style="color: red;">Spoke:</span> Remote GRE interface IP address</td>
      <td>ip; default: <b>none</b></td>
      <td>IP address of the remote GRE Tunnel instance.</td>
    </tr>
    <tr>
    <td><span style="color: purple;">Hub:</span> Local GRE interface netmask</td>
        <td>netmask; default: <b>none</b></td>
        <td>Subnet mask of the local GRE Tunnel network interface.</td>
    </tr>
    <tr>
      <td>GRE MTU</td>
      <td>integer; default: <b>1476</b></td>
      <td>Sets the maximum transmission unit (MTU) size. It is the largest size of a protocol data unit (PDU) that can be transmitted in a single network layer transaction.</td>
    </tr>
    <tr>
      <td>GRE keys</td>
      <td>integer [0..65535]; default: <b>none</b></td>
      <td>A key used to identify incoming and outgoing GRE packets.</td>
    </tr>
</table>
<br>
----
[[File:{{{file_dmvpn_ipsec_config}}}]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>Negotiation mode</td>
      <td>Main | Aggressive; default: <b>Main</b></td>
      <td>Internet Security and Key Management Protocol (ISAKMP) phase 1 exchange mode.
            <ul>
                <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li>
                <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode.</li>
            </ul>
        </td>
    </tr>
    <tr>
    <td>My identifier type</td>
        <td>FQDN | User FQDN | Address; default: <b>FQDN</b></td>
        <td>Defines the type of identity used in user (IPsec instance) authentication.
            <ul>
                <li><b>FQDN</b> - identity defined by fully qualified domain name. It is the complete domain name for a host (for example, <i>something.somedomain.com</i>). Only supported with IKEv2.</li>
                <li><b>User FQDN</b> - identity defined by fully qualified username string (for example, <i>[email protected]</i>). Only supported with IKEv2.</li>
                <li><b>Address</b> - identity by IP address.</li>
            </ul>
        </td>
    </tr>
    <tr>
    <td>My identifier</td>
        <td>ip | string; default: <b>none</b></td>
        <td>Defines how the user (IPsec instance) will be identified during authentication.</td>
    </tr>
    <tr>
    <td>Encryption algorithm</td>
        <td>DES | 3DES | AES128 | AES192 | AES256; default: <b>3DES</b></td>
        <td>Algorithm used for data encryption.</td>
    </tr>
    <tr>
    <td>Authentication/Hash algorithm</td>
        <td>MD5 | SHA1 | SHA256 | SHA384 | SHA512; default: <b>SHA1</b></td>
        <td>Algorithm used for exchanging authentication and hash information.</td>
    </tr>
    <tr>
    <td>DH group/PFS group</td>
        <td>MODP768 | MODP1024 | MODP1536 | MODP2048 | MODP3072 | MODP4096; default: <b>MODP1536</b></td>
        <td></td>
    </tr>
    <tr>
    <td>Lifetime</td>
        <td>integer; default: <b>8 hours</b></td>
        <td>Defines a time period after which the phase will re-initiate its exchange of information.</td>
    </tr>
    <tr>
    <td>Pre shared key</td>
        <td>string; default: <b>none</b></td>
        <td>A shared password used for authentication between IPsec peers.</td>
    </tr>
    <tr>
    <td>Secret's ID selector</td>
        <td>string; default: <b>none</b></td>
        <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any.<br><b>NOTE</b>: IKEv1 only supports IP address ID selector.</td>
    </tr>
</table>
<br>
----
[[File:{{{file_dmvpn_nhrp_config}}}]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
      <td>NHRP network ID</td>
      <td>integer; default: <b>1</b></td>
      <td>An identifier used to define the NHRP domain. This is a local parameter and its value does not need to match the values specified on other domains. However, the NHRP ID is added to packets which arrive on the GRE interface; therefore, it may be helpful to use the same ID for troubleshooting purposes.</td>
    </tr>
    <tr>
      <td>NHRP hold time</td>
      <td>integer; default: <b>7200</b></td>
      <td>Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The holdtime is specified in seconds and defaults to two hours.</td>
     </tr>
     </tr>
</table>
</table>


[[Category:{{{name}}} WebUI]]
[[Category:{{{name}}} WebUI]]