Teltonika Networks Wiki

Changes

Template:Networking rut2xx manual vpn ipsec (view source)

Revision as of 12:05, 17 October 2019

120 bytes removed ,  12:05, 17 October 2019
→‎IPsec configuration
Line 20: Line 20:  
     <td>Enable</td>
 
     <td>Enable</td>
 
         <td>yes | no; default: <b>no</b></td>
 
         <td>yes | no; default: <b>no</b></td>
         <td>Turns the IPsec instance on or off.</td>
+
         <td>Turns the IPsec instance on or off</td>
 
     </tr>
 
     </tr>
 +
    <tr>
 +
    <td>Enable IPv6</td>
 +
        <td>yes | no; default: <b>no</b></td>
 +
        <td>Turns the IPv6 address of the left interface on or off</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Authentication type</td>
 +
        <td>Pre-shared key | X.509; default: <b>Pre-shared key</b></td>
 +
        <td>Authentication type accordingly to your IPsec configuration. IPsec </td>
 +
    </tr>
 +
<!--
 +
    <tr>
 +
    <td><span style="color: #6E9710;">X.509:</span> Key file</td>
 +
        <td>.key file; default: <b>none</b></td>
 +
        <td>Authenticates to the server and establishes precisely who they are.</td>
 +
    </tr>
 +
    <tr>
 +
    <td><span style="color: #6E9710;">X.509:</span> Certificate file</td>
 +
        <td>.crt file; default: <b>none</b></td>
 +
        <td></td>
 +
    </tr>
 +
    <tr>
 +
    <td><span style="color: #6E9710;">X.509:</span> Remote endpoint certificate</td>
 +
        <td>.crt file; default: <b>none</b></td>
 +
        <td></td>
 +
    </tr>
 +
    <tr>
 +
    <td><span style="color: #6E9710;">X.509:</span> CA certificate</td>
 +
        <td>.ca file; default: <b>none</b></td>
 +
        <td>CA certificate issued by Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td>
 +
    </tr>
 +
-->
 
     <tr>
 
     <tr>
 
     <td>IKE version</td>
 
     <td>IKE version</td>
 
         <td>IKEv1 | IKEv2; default: <b>IKEv1</b></td>
 
         <td>IKEv1 | IKEv2; default: <b>IKEv1</b></td>
         <td>Internet Key Exchange (IKE) version used for key exchange.
+
         <td>Internet Key Exchange (IKE) version used for key exchange
 
             <ul>
 
             <ul>
 
                 <li><b>IKEv1</b> - more commonly used but contains known issues, for example, dealing with NAT.</li>
 
                 <li><b>IKEv1</b> - more commonly used but contains known issues, for example, dealing with NAT.</li>
                 <li><b>IKEv2</b> - updated version with increased and improved capabilities, such as integrated NAT support, supported multihosting, deprecated exchange modes (does not use main or aggressive mode; only 4 messages required to establish a connection).</li>
+
                 <li><b>IKEv2</b> - updated version with increased and improved capabilities, such as integrated NAT support, supported multihosting, deprecated exchange modes (does not use main or aggressive mode; only 4 messages required to establish a connection)</li>
 
             </ul>
 
             </ul>
 
         </td>
 
         </td>
Line 38: Line 70:  
             <ul>
 
             <ul>
 
                 <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li>
 
                 <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li>
                 <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode.</li>
+
                 <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode</li>
 
             </ul>
 
             </ul>
 
         </td>
 
         </td>
Line 51: Line 83:  
             </ul>
 
             </ul>
 
         </td>
 
         </td>
    </tr>
  −
    <tr>
  −
    <td>My identifier type</td>
  −
        <td>FQDN | User FQDN | Address; default: <b>FQDN</b></td>
  −
        <td>Defines the type of identity used in user (IPsec instance) authentication.
  −
            <ul>
  −
                <li><b>FQDN</b> - identity defined by fully qualified domain name. It is the complete domain name for a host (for example, <i>something.somedomain.com</i>). Only supported with IKEv2.</li>
  −
                <li><b>User FQDN</b> - identity defined by fully qualified username string (for example, <i>[email protected]</i>). Only supported with IKEv2.</li>
  −
                <li><b>Address</b> - identity by IP address.</li>
  −
            </ul>
  −
        </td>
  −
    </tr>
   
     <tr>
 
     <tr>
 
     <td>On startup</td>
 
     <td>On startup</td>
Line 68: Line 88:  
         <td>Defines how the instance should act on router startup.
 
         <td>Defines how the instance should act on router startup.
 
             <ul>
 
             <ul>
                <li><b>Ignore</b> - does not start the tunnel.</li>
   
                 <li><b>Add</b> - loads a connection without starting it.</li>
 
                 <li><b>Add</b> - loads a connection without starting it.</li>
 
                 <li><b>Route</b> - starts the tunnel only if there is traffic.</li>
 
                 <li><b>Route</b> - starts the tunnel only if there is traffic.</li>
Line 113: Line 132:  
       <td>Remote VPN endpoint</td>
 
       <td>Remote VPN endpoint</td>
 
       <td>host | ip; default: <b>none</b></td>
 
       <td>host | ip; default: <b>none</b></td>
       <td>IP address or hostname of the remote IPsec instance.</td>
+
       <td>IP address or hostname of the remote IPsec instance</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Remote identifier</td>
 +
      <td>string | ip; default: <b>none</b></td>
 +
      <td>FQDN or IP address of remote peer. Leave empty for any</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
     <td><span style="color: red;">Tunnel:</span> Remote IP address/subnet mask</td>
+
     <td><span style="color: red;">Tunnel:</span> Remote IP address/Subnet mask</td>
 
         <td>ip/netmask; default: <b>none</b></td>
 
         <td>ip/netmask; default: <b>none</b></td>
         <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP.</td>
+
         <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Right firewall</td>
 
     <td>Right firewall</td>
 
         <td>yes | no; default: <b>yes</b></td>
 
         <td>yes | no; default: <b>yes</b></td>
         <td>Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router.</td>
+
         <td>Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router</td>
    </tr>
  −
    <tr>
  −
    <td><span style="color: purple;">Transport:</span> Use with DMVPN</td>
  −
        <td>yes | no; default: <b>no</b></td>
  −
        <td>Adds several necessary options to make DMVPN work.</td>
  −
    </tr>
  −
    <tr>
  −
      <td>Enable keepalive</td>
  −
      <td>yes | no; default: <b>no</b></td>
  −
      <td>When enabled, the instance sends ICMP packets to the specified host at the specified frequency. If no response is received, the router will attempt to restart the connection.</td>
  −
    </tr>
  −
    <tr>
  −
      <td>Host</td>
  −
      <td>host | ip; default: <b>none</b></td>
  −
      <td>Hostname or IP address to which keepalive ICMP packets will be sent to.</td>
  −
    </tr>
  −
    <tr>
  −
    <td>Ping period (sec)</td>
  −
        <td>integer [0..9999999]; default: <b>none</b></td>
  −
        <td>The frequency at which keepalive ICMP packets will be sent to the specified host or IP address.</td>
   
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
 
     <td>Allow WebUI access</td>
 
     <td>Allow WebUI access</td>
 
         <td>yes | no; default: <b>no</b></td>
 
         <td>yes | no; default: <b>no</b></td>
         <td>Allows WebUI access for hosts in the VPN network.</td>
+
         <td>Allows WebUI access for hosts in the VPN network</td>
 
     </tr>
 
     </tr>
 
     <tr>
 
     <tr>
Line 161: Line 165:  
     <li>Some configuration fields become available only when certain other parameters are selected. The names of the parameters are followed by a prefix that specifies the authentication type under which they become visible. Different color codes are used for different prefixes:
 
     <li>Some configuration fields become available only when certain other parameters are selected. The names of the parameters are followed by a prefix that specifies the authentication type under which they become visible. Different color codes are used for different prefixes:
 
         <ul>
 
         <ul>
 +
            <!--<li>Green for <span style="color: #6E9710;">Authentication type: X.509</span></li>-->
 
             <li>Red for <span style="color: red;">Type: Tunnel</span></li>
 
             <li>Red for <span style="color: red;">Type: Tunnel</span></li>
 
             <li>Purple for <span style="color: purple;">Type: Transport</span></li>
 
             <li>Purple for <span style="color: purple;">Type: Transport</span></li>
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/46833"