Jump to content

Template:Networking rutos manual vpn: Difference between revisions

no edit summary
No edit summary
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<!-- Template uses {{{name}}}, {{{series}}}    -->
<!-- Template uses {{{name}}}, {{{series}}}    -->
{{Template: Networking_rutos_manual_fw_disclosure
{{Template: Networking_device_manual_fw_disclosure
| fw_version ={{Template: Networking_rutos_manual_latest_fw
| series = {{{series}}}
| name  = {{{name}}}
| fw_version ={{Template: Networking_device_manual_latest_fw
  | series = {{{series}}}
  | series = {{{series}}}
  | name  = {{{name}}}
  | name  = {{{name}}}
  }}
  }}
}}
}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_device_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_device_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
==Summary==
==Summary==


Line 716: Line 718:
To create a new IPsec instance, go to the <i>Services → VPN → IPsec</i> section, enter a custom name and click the 'Add' button. An IPsec instance with the given name will appear in the "IPsec Configuration" list.
To create a new IPsec instance, go to the <i>Services → VPN → IPsec</i> section, enter a custom name and click the 'Add' button. An IPsec instance with the given name will appear in the "IPsec Configuration" list.


[[File:File:Networking rutos vpn ipsec add button.png|border|class=tlt-border]]
[[File:Networking rutos vpn ipsec add button.png|border|class=tlt-border]]


===IPsec Instance===
===IPsec Instance===
Line 722: Line 724:
The <b>general settings</b> section is used to configure the main IPsec parameters. Refer to the figure and table below for information on the configuration fields located in the general settings section.
The <b>general settings</b> section is used to configure the main IPsec parameters. Refer to the figure and table below for information on the configuration fields located in the general settings section.


[[File:Networking_rutos_vpn_ipsec_ipsec_instance_general_settings.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_ipsec_ipsec_instance_general_settings_v1.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 742: Line 744:
     <tr>
     <tr>
       <td>Authentication method</td>
       <td>Authentication method</td>
       <td>Pre-shared key {{!}} X.509; default: <b>Pre-shared key</b></td>
       <td>Pre-shared key {{!}} <span style="color:darkred">X.509 {{!}} EAP</span> {{!}} <span style="color:blue">PKCS#12</span>; default: <b>Pre-shared key</b></td>
       <td>Specify authentication method. Choose between Pre-shared key and X.509 certificates.</td>
       <td>Specify authentication method. Choose between Pre-shared key and X.509 certificates.</td>
    </tr>
    <tr>
    <td><span style="color:blue">PKCS#12:</span> PKCS12 container</td>
        <td>string; default: <b>none</b></td>
        <td></td>
    </tr>
    <tr>
    <td><span style="color:blue">PKCS#12:</span> PKCS12 decryption passphrase</td>
        <td>string; default: <b>none</b></td>
        <td></td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 756: Line 768:
   </tr> -->
   </tr> -->
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> Key</td>
     <td><span style="color:darkred">X.509: {{!}} EAP:</span> Key</td>
         <td>A private key file; default: <b>none</b></td>
         <td>A private key file; default: <b>none</b></td>
         <td>A private key file.</td>
         <td>A private key file.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> Key decryption passphrase</td>
     <td><span style="color:darkred">X.509: {{!}} EAP:</span> Key decryption passphrase</td>
         <td>A password for private key files; default: <b>none</b></td>
         <td>A password for private key files; default: <b>none</b></td>
         <td>If the private key file is encrypted, the passphrase must be defined.</td>
         <td>If the private key file is encrypted, the passphrase must be defined.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> Local Certificate</td>
     <td><span style="color:darkred">X.509: {{!}} EAP:</span> Local Certificate</td>
         <td>.der file; default: <b>none</b></td>
         <td>.der file; default: <b>none</b></td>
         <td>A local certificate file.</td>
         <td>A local certificate file.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> CA Certificate</td>
     <td><span style="color:darkred">X.509: {{!}} EAP:</span> CA Certificate</td>
         <td>.der file; default: <b>none</b></td>
         <td>.der file; default: <b>none</b></td>
         <td>A certificate authority file.</td>
         <td>A certificate authority file.</td>
Line 807: Line 819:
         <ul>
         <ul>
             <li>Chocolate for <span style="color: chocolate;">Authentication method: Pre-shared key</span></li>
             <li>Chocolate for <span style="color: chocolate;">Authentication method: Pre-shared key</span></li>
             <li>Dark red for <span style="color: darkred;">Authentication method: X.509</span></li>
             <li>Dark red for <span style="color: darkred;">Authentication method: X.509/EAP</span></li>
            <li>Blue for <span style="color: blue;">Authentication method: PKCS#12</span></li>
         </ul>
         </ul>
     </li>
     </li>
Line 827: Line 840:
     <td>ID Selector</td>
     <td>ID Selector</td>
         <td>%any, IP or FQDN; default: <b>none</b></td>
         <td>%any, IP or FQDN; default: <b>none</b></td>
         <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any. When using IKEv1 use IP address.</br><b>NOTE:</b> IKEv1 only supports IP address ID selector.</td>
         <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any. When using IKEv1 use IP address. <b>NOTE:</b> IKEv1 only supports IP address ID selector.</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Type</td>
       <td>Type</td>
       <td>psk {{!}} xauth; default: <b>psk</b></td>
       <td>PSK {{!}} XAUTH {{!}} EAP {{!}} <span style="color:darkred">RSA</span> {{!}} <span style="color:darkred">PKCS#12</span>; default: <b>PSK</b></td>
       <td>IPSec secret type.</br><b>NOTE:</b> XAUTH secrets are IKEv1 only.</td>
       <td>IPSec secret type. <b>NOTE:</b> XAUTH secrets are IKEv1 only.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 840: Line 853:
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">RSA</span> Secret</td>
     <td><span style="color:darkred">RSA {{!}} PKCS#12:</span> Secret</td>
         <td>Private key file; default: <b>none</b></td>
         <td>Private key file; default: <b>none</b></td>
         <td>A private key file.</td>
         <td>A private key file.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">RSA</span> Key decryption passphrase</td>
     <td><span style="color:darkred">RSA {{!}} PKCS#12:</span> Key decryption passphrase</td>
         <td>A password for private key files; default: <b>none</b></td>
         <td>A password for private key files; default: <b>none</b></td>
         <td>If the private key file is encrypted, the passphrase must be defined.</td>
         <td>If the private key file is encrypted, the passphrase must be defined.</td>
    </tr>
</table>
====Advanced Settings====
----
The <b>Advanced settings</b> section is only visible when <b>X.509</b> is selected as Authentication method.
[[File:Networking_rutos_vpn_ipsec_ipsec_instance_advanced_settings.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <!-- removed on 7.0, to return on 7.1 <tr>
    <td>Certificate files from device</td>
        <td>off | on; default: <b>off</b></td>
        <td>Uses certificate file generated on this device instead of uploading. (You can generate certificates within this device via the System → Administration → [[{{{name}}}_Administration#Certificates|Certificates]] page.)</td>
    </tr> -->
    <tr>
    <td>Remote Certificate</td>
        <td>.crt file; default: <b>none</b></td>
        <td>Selects a certificate file from a computer.</td>
     </tr>
     </tr>
</table>
</table>
Line 884: Line 872:
----
----


[[File:Networking rutos vpn ipsec connection settings general settings v2.png|border|class=tlt-border]]
[[File:Networking rutos vpn ipsec connection settings general settings v3.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 956: Line 944:
====Advanced settings====
====Advanced settings====
----
----
[[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings_v3.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 1,356: Line 1,344:
<b>Secure Socket Tunneling Protocol</b> (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
<b>Secure Socket Tunneling Protocol</b> (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
{{#switch: {{{series}}} | RUTX | RUTM= | #default=  
{{#switch: {{{series}}} | RUTX | RUTM= | #default=  
</br><u><b>Note:</b> SSTP is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> SSTP is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
===SSTP configuration===
===SSTP configuration===
Line 1,424: Line 1,412:
Refer to the figure and table below for information on the fields contained in the Stunnel Globals section.
Refer to the figure and table below for information on the fields contained in the Stunnel Globals section.
{{#switch: {{{series}}} | RUTX | RUTM= | #default=   
{{#switch: {{{series}}} | RUTX | RUTM= | #default=   
</br><u><b>Note:</b> Stunnel is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> Stunnel is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
[[File:Networking_rutos_manual_vpn_stunnel_globals.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_vpn_stunnel_globals.png|border|class=tlt-border]]
Line 1,566: Line 1,554:
<b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a method of building scalable IPsec VPNs. DMVPN is configured as a hub-and-spoke network, where tunnels between spokes are built dynamically; therefore, no change in configuration is required on the hub in order to connect new spokes.
<b>Dynamic Multipoint VPN</b> (<b>DMVPN</b>) is a method of building scalable IPsec VPNs. DMVPN is configured as a hub-and-spoke network, where tunnels between spokes are built dynamically; therefore, no change in configuration is required on the hub in order to connect new spokes.
{{#switch: {{{series}}} | RUTX | RUTM= | #default=  
{{#switch: {{{series}}} | RUTX | RUTM= | #default=  
</br><u><b>Note:</b> DMPVN is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> DMPVN is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
===DMVPN configuration===
===DMVPN configuration===
Line 2,017: Line 2,005:
<b>ZeroTier One</b> is an open source software which can establish Peer to Peer VPN (P2PVPN) connection between various devices running various operating systems. It also provides network management possibilities such as routing and creating firewall rules.
<b>ZeroTier One</b> is an open source software which can establish Peer to Peer VPN (P2PVPN) connection between various devices running various operating systems. It also provides network management possibilities such as routing and creating firewall rules.


<u><b>Note:</b> ZeroTier is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
<u><b>Note:</b> ZeroTier is additional software that can be installed from the <b>System → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
----
----
In order to create a new ZeroTier Instance, look to the Add New ZeroTier Configuration section; enter a custom name and click the 'Add' button:
In order to create a new ZeroTier Instance, look to the Add New ZeroTier Configuration section; enter a custom name and click the 'Add' button: