Line 20: |
Line 20: |
| <td>Enable</td> | | <td>Enable</td> |
| <td>yes | no; default: <b>no</b></td> | | <td>yes | no; default: <b>no</b></td> |
− | <td>Turns the IPsec instance on or off.</td> | + | <td>Turns the IPsec instance on or off</td> |
| </tr> | | </tr> |
| + | <tr> |
| + | <td>Enable IPv6</td> |
| + | <td>yes | no; default: <b>no</b></td> |
| + | <td>Turns the IPv6 address of the left interface on or off</td> |
| + | </tr> |
| + | <tr> |
| + | <td>Authentication type</td> |
| + | <td>Pre-shared key | X.509; default: <b>Pre-shared key</b></td> |
| + | <td>Authentication type accordingly to your IPsec configuration. IPsec </td> |
| + | </tr> |
| + | <!-- |
| + | <tr> |
| + | <td><span style="color: #6E9710;">X.509:</span> Key file</td> |
| + | <td>.key file; default: <b>none</b></td> |
| + | <td>Authenticates to the server and establishes precisely who they are.</td> |
| + | </tr> |
| + | <tr> |
| + | <td><span style="color: #6E9710;">X.509:</span> Certificate file</td> |
| + | <td>.crt file; default: <b>none</b></td> |
| + | <td></td> |
| + | </tr> |
| + | <tr> |
| + | <td><span style="color: #6E9710;">X.509:</span> Remote endpoint certificate</td> |
| + | <td>.crt file; default: <b>none</b></td> |
| + | <td></td> |
| + | </tr> |
| + | <tr> |
| + | <td><span style="color: #6E9710;">X.509:</span> CA certificate</td> |
| + | <td>.ca file; default: <b>none</b></td> |
| + | <td>CA certificate issued by Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td> |
| + | </tr> |
| + | --> |
| <tr> | | <tr> |
| <td>IKE version</td> | | <td>IKE version</td> |
| <td>IKEv1 | IKEv2; default: <b>IKEv1</b></td> | | <td>IKEv1 | IKEv2; default: <b>IKEv1</b></td> |
− | <td>Internet Key Exchange (IKE) version used for key exchange. | + | <td>Internet Key Exchange (IKE) version used for key exchange |
| <ul> | | <ul> |
| <li><b>IKEv1</b> - more commonly used but contains known issues, for example, dealing with NAT.</li> | | <li><b>IKEv1</b> - more commonly used but contains known issues, for example, dealing with NAT.</li> |
− | <li><b>IKEv2</b> - updated version with increased and improved capabilities, such as integrated NAT support, supported multihosting, deprecated exchange modes (does not use main or aggressive mode; only 4 messages required to establish a connection).</li> | + | <li><b>IKEv2</b> - updated version with increased and improved capabilities, such as integrated NAT support, supported multihosting, deprecated exchange modes (does not use main or aggressive mode; only 4 messages required to establish a connection)</li> |
| </ul> | | </ul> |
| </td> | | </td> |
Line 38: |
Line 70: |
| <ul> | | <ul> |
| <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li> | | <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li> |
− | <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode.</li> | + | <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode</li> |
| </ul> | | </ul> |
| </td> | | </td> |
Line 51: |
Line 83: |
| </ul> | | </ul> |
| </td> | | </td> |
− | </tr>
| |
− | <tr>
| |
− | <td>My identifier type</td>
| |
− | <td>FQDN | User FQDN | Address; default: <b>FQDN</b></td>
| |
− | <td>Defines the type of identity used in user (IPsec instance) authentication.
| |
− | <ul>
| |
− | <li><b>FQDN</b> - identity defined by fully qualified domain name. It is the complete domain name for a host (for example, <i>something.somedomain.com</i>). Only supported with IKEv2.</li>
| |
− | <li><b>User FQDN</b> - identity defined by fully qualified username string (for example, <i>[email protected]</i>). Only supported with IKEv2.</li> | |
− | <li><b>Address</b> - identity by IP address.</li>
| |
− | </ul>
| |
− | </td>
| |
− | </tr>
| |
| <tr> | | <tr> |
| <td>On startup</td> | | <td>On startup</td> |
Line 68: |
Line 88: |
| <td>Defines how the instance should act on router startup. | | <td>Defines how the instance should act on router startup. |
| <ul> | | <ul> |
− | <li><b>Ignore</b> - does not start the tunnel.</li>
| |
| <li><b>Add</b> - loads a connection without starting it.</li> | | <li><b>Add</b> - loads a connection without starting it.</li> |
| <li><b>Route</b> - starts the tunnel only if there is traffic.</li> | | <li><b>Route</b> - starts the tunnel only if there is traffic.</li> |
Line 113: |
Line 132: |
| <td>Remote VPN endpoint</td> | | <td>Remote VPN endpoint</td> |
| <td>host | ip; default: <b>none</b></td> | | <td>host | ip; default: <b>none</b></td> |
− | <td>IP address or hostname of the remote IPsec instance.</td> | + | <td>IP address or hostname of the remote IPsec instance</td> |
| + | </tr> |
| + | <tr> |
| + | <td>Remote identifier</td> |
| + | <td>string | ip; default: <b>none</b></td> |
| + | <td>FQDN or IP address of remote peer. Leave empty for any</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
− | <td><span style="color: red;">Tunnel:</span> Remote IP address/subnet mask</td> | + | <td><span style="color: red;">Tunnel:</span> Remote IP address/Subnet mask</td> |
| <td>ip/netmask; default: <b>none</b></td> | | <td>ip/netmask; default: <b>none</b></td> |
− | <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP.</td> | + | <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
| <td>Right firewall</td> | | <td>Right firewall</td> |
| <td>yes | no; default: <b>yes</b></td> | | <td>yes | no; default: <b>yes</b></td> |
− | <td>Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router.</td> | + | <td>Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router</td> |
− | </tr>
| |
− | <tr>
| |
− | <td><span style="color: purple;">Transport:</span> Use with DMVPN</td>
| |
− | <td>yes | no; default: <b>no</b></td>
| |
− | <td>Adds several necessary options to make DMVPN work.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Enable keepalive</td>
| |
− | <td>yes | no; default: <b>no</b></td>
| |
− | <td>When enabled, the instance sends ICMP packets to the specified host at the specified frequency. If no response is received, the router will attempt to restart the connection.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Host</td>
| |
− | <td>host | ip; default: <b>none</b></td>
| |
− | <td>Hostname or IP address to which keepalive ICMP packets will be sent to.</td>
| |
− | </tr>
| |
− | <tr>
| |
− | <td>Ping period (sec)</td>
| |
− | <td>integer [0..9999999]; default: <b>none</b></td>
| |
− | <td>The frequency at which keepalive ICMP packets will be sent to the specified host or IP address.</td>
| |
| </tr> | | </tr> |
| <tr> | | <tr> |
| <td>Allow WebUI access</td> | | <td>Allow WebUI access</td> |
| <td>yes | no; default: <b>no</b></td> | | <td>yes | no; default: <b>no</b></td> |
− | <td>Allows WebUI access for hosts in the VPN network.</td> | + | <td>Allows WebUI access for hosts in the VPN network</td> |
| </tr> | | </tr> |
| <tr> | | <tr> |
Line 161: |
Line 165: |
| <li>Some configuration fields become available only when certain other parameters are selected. The names of the parameters are followed by a prefix that specifies the authentication type under which they become visible. Different color codes are used for different prefixes: | | <li>Some configuration fields become available only when certain other parameters are selected. The names of the parameters are followed by a prefix that specifies the authentication type under which they become visible. Different color codes are used for different prefixes: |
| <ul> | | <ul> |
| + | <!--<li>Green for <span style="color: #6E9710;">Authentication type: X.509</span></li>--> |
| <li>Red for <span style="color: red;">Type: Tunnel</span></li> | | <li>Red for <span style="color: red;">Type: Tunnel</span></li> |
| <li>Purple for <span style="color: purple;">Type: Transport</span></li> | | <li>Purple for <span style="color: purple;">Type: Transport</span></li> |