Difference between revisions of "Template:Networking rut2xx manual vpn ipsec"
From Teltonika Networks Wiki
(Created page with "==IPsec== To create a new IPsec instance, go to the <i>Services → VPN → IPsec</i> section, enter a custom name and click "Add". An IPsec instance with the given name will...") |
Gytispieze (talk | contribs) |
||
| (8 intermediate revisions by 4 users not shown) | |||
| Line 9: | Line 9: | ||
The <b>IPsec configuration</b> section is used to configure the main parameters of an IPsec connection. Refer to the figure and table below for information on the configuration fields located in the general settings section. | The <b>IPsec configuration</b> section is used to configure the main parameters of an IPsec connection. Refer to the figure and table below for information on the configuration fields located in the general settings section. | ||
| − | [[File:{{{file_ipsec_config}}}]] | + | [[File:{{{file_ipsec_config}}}|border|class=tlt-border]] |
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
| Line 20: | Line 20: | ||
<td>Enable</td> | <td>Enable</td> | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
| − | <td>Turns the IPsec instance on or off | + | <td>Turns the IPsec instance on or off</td> |
</tr> | </tr> | ||
| + | <tr> | ||
| + | <td>Enable IPv6</td> | ||
| + | <td>yes | no; default: <b>no</b></td> | ||
| + | <td>Turns the IPv6 address of the left interface on or off</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td>Left IPv6</td> | ||
| + | <td>IPv6 address; default: <b>none</b></td> | ||
| + | <td>IPv6 address used as the source. If left empty, uses one of the available global addresses.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td>Authentication type</td> | ||
| + | <td>Pre-shared key | X.509; default: <b>Pre-shared key</b></td> | ||
| + | <td>Authentication type accordingly to your IPsec configuration. IPsec </td> | ||
| + | </tr> | ||
| + | <!-- | ||
| + | <tr> | ||
| + | <td><span style="color: #6E9710;">X.509:</span> Key file</td> | ||
| + | <td>.key file; default: <b>none</b></td> | ||
| + | <td>Authenticates to the server and establishes precisely who they are.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td><span style="color: #6E9710;">X.509:</span> Certificate file</td> | ||
| + | <td>.crt file; default: <b>none</b></td> | ||
| + | <td></td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td><span style="color: #6E9710;">X.509:</span> Remote endpoint certificate</td> | ||
| + | <td>.crt file; default: <b>none</b></td> | ||
| + | <td></td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td><span style="color: #6E9710;">X.509:</span> CA certificate</td> | ||
| + | <td>.ca file; default: <b>none</b></td> | ||
| + | <td>CA certificate issued by Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td> | ||
| + | </tr> | ||
| + | --> | ||
<tr> | <tr> | ||
<td>IKE version</td> | <td>IKE version</td> | ||
<td>IKEv1 | IKEv2; default: <b>IKEv1</b></td> | <td>IKEv1 | IKEv2; default: <b>IKEv1</b></td> | ||
| − | <td>Internet Key Exchange (IKE) version used for key exchange | + | <td>Internet Key Exchange (IKE) version used for key exchange |
<ul> | <ul> | ||
<li><b>IKEv1</b> - more commonly used but contains known issues, for example, dealing with NAT.</li> | <li><b>IKEv1</b> - more commonly used but contains known issues, for example, dealing with NAT.</li> | ||
| − | <li><b>IKEv2</b> - updated version with increased and improved capabilities, such as integrated NAT support, supported multihosting, deprecated exchange modes (does not use main or aggressive mode; only 4 messages required to establish a connection) | + | <li><b>IKEv2</b> - updated version with increased and improved capabilities, such as integrated NAT support, supported multihosting, deprecated exchange modes (does not use main or aggressive mode; only 4 messages required to establish a connection)</li> |
</ul> | </ul> | ||
</td> | </td> | ||
| Line 38: | Line 75: | ||
<ul> | <ul> | ||
<li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li> | <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages).</li> | ||
| − | <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode | + | <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode</li> |
</ul> | </ul> | ||
</td> | </td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td>Ignore security</td> | ||
| + | <td>yes | no; default: <b>no</b></td> | ||
| + | <td>If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared keys. Discouraged to use due to security concerns.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td>Use additional xauth authentification</td> | ||
| + | <td><span style="color:tomato; font-weight:bold;">yes</span> | no; default: <b>no</b></td> | ||
| + | <td>Turns additional xauth authentification for this instance on or off.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td><span style="color:tomato; font-weight:bold;">Xauth password</span></td> | ||
| + | <td>string; default: <b>none</b></td> | ||
| + | <td>Password for xauth.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
| Line 51: | Line 103: | ||
</ul> | </ul> | ||
</td> | </td> | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
<tr> | <tr> | ||
<td>On startup</td> | <td>On startup</td> | ||
| Line 68: | Line 108: | ||
<td>Defines how the instance should act on router startup. | <td>Defines how the instance should act on router startup. | ||
<ul> | <ul> | ||
| − | |||
<li><b>Add</b> - loads a connection without starting it.</li> | <li><b>Add</b> - loads a connection without starting it.</li> | ||
<li><b>Route</b> - starts the tunnel only if there is traffic.</li> | <li><b>Route</b> - starts the tunnel only if there is traffic.</li> | ||
| Line 113: | Line 152: | ||
<td>Remote VPN endpoint</td> | <td>Remote VPN endpoint</td> | ||
<td>host | ip; default: <b>none</b></td> | <td>host | ip; default: <b>none</b></td> | ||
| − | <td>IP address or hostname of the remote IPsec instance | + | <td>IP address or hostname of the remote IPsec instance</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td><span style="color: red;">Tunnel:</span> Remote IP address/ | + | <td>Remote identifier</td> |
| + | <td>string | ip; default: <b>none</b></td> | ||
| + | <td>FQDN or IP address of remote peer. Leave empty for any</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td><span style="color: red;">Tunnel:</span> Remote IP address/Subnet mask</td> | ||
<td>ip/netmask; default: <b>none</b></td> | <td>ip/netmask; default: <b>none</b></td> | ||
| − | <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP | + | <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP</td> |
| + | </tr> | ||
| + | <tr> | ||
| + | <td>Passthrough networks</td><td>None | LAN | Wired | WiFi | Mobile | custom; default: '''none'''</td> | ||
| + | <td>Select networks which should be passthrough and excluded from routing through tunnel</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Right firewall</td> | <td>Right firewall</td> | ||
<td>yes | no; default: <b>yes</b></td> | <td>yes | no; default: <b>yes</b></td> | ||
| − | <td>Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router | + | <td>Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td> | + | <td>Allow WebUI access</td> |
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
| − | <td> | + | <td>Allows WebUI access for hosts in the VPN network</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | + | <td>Compatibility mode</td> | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | <td> | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
| − | <td> | + | <td>Enable this if multiple subnets do not work with a 3rd party IPsec peer.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| Line 159: | Line 192: | ||
<b>Additional notes</b>: | <b>Additional notes</b>: | ||
<ul> | <ul> | ||
| − | <li>Some configuration fields become available only when certain other parameters are selected | + | <li>Some configuration fields become available only when certain other parameters are selected. Different color codes are used for different parameters: |
<ul> | <ul> | ||
| + | <!--<li>Green for <span style="color: #6E9710;">Authentication type: X.509</span></li>--> | ||
<li>Red for <span style="color: red;">Type: Tunnel</span></li> | <li>Red for <span style="color: red;">Type: Tunnel</span></li> | ||
<li>Purple for <span style="color: purple;">Type: Transport</span></li> | <li>Purple for <span style="color: purple;">Type: Transport</span></li> | ||
| Line 260: | Line 294: | ||
===Pre-shared keys=== | ===Pre-shared keys=== | ||
---- | ---- | ||
| − | A <b>pre-shared key</b> is a secret password used for authentication between IPsec peers before a secure tunnel is established. To create a new key, click the 'Add' button. | + | A <b>pre-shared key</b> is a secret password used for authentication between IPsec peers |
| + | before a secure tunnel is established. During authentication device will try to check if | ||
| + | connection matches any <b>Secret's ID selector</b> and then the <b>pre-shared key</b> from | ||
| + | the first match will be used. | ||
| + | |||
| + | To create a new key, click the 'Add' button. | ||
| − | The figure below is an example of the Pre-shared keys section and the table below provides information on configuration fields contained in that section: | + | The figure below is an example of the Pre-shared keys section and the table |
| + | below provides information on configuration fields contained in that section: | ||
[[File:{{{file_ipsec_psk}}}]] | [[File:{{{file_ipsec_psk}}}]] | ||
Latest revision as of 08:48, 19 August 2021
IPsec
To create a new IPsec instance, go to the Services → VPN → IPsec section, enter a custom name and click "Add". An IPsec instance with the given name will appear in the "IPsec Configuration" list.
To begin configuration, click the 'Edit' button located next to the instance.
IPsec configuration
The IPsec configuration section is used to configure the main parameters of an IPsec connection. Refer to the figure and table below for information on the configuration fields located in the general settings section.
[[File:{{{file_ipsec_config}}}|border|class=tlt-border]]
| Field | Value | Description |
|---|---|---|
| Enable | yes | no; default: no | Turns the IPsec instance on or off |
| Enable IPv6 | yes | no; default: no | Turns the IPv6 address of the left interface on or off |
| Left IPv6 | IPv6 address; default: none | IPv6 address used as the source. If left empty, uses one of the available global addresses. |
| Authentication type | Pre-shared key | X.509; default: Pre-shared key | Authentication type accordingly to your IPsec configuration. IPsec |
| IKE version | IKEv1 | IKEv2; default: IKEv1 | Internet Key Exchange (IKE) version used for key exchange
|
| Mode | Main | Aggressive; default: Main | Internet Security and Key Management Protocol (ISAKMP) phase 1 exchange mode.
|
| Ignore security | yes | no; default: no | If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared keys. Discouraged to use due to security concerns. |
| Use additional xauth authentification | yes | no; default: no | Turns additional xauth authentification for this instance on or off. |
| Xauth password | string; default: none | Password for xauth. |
| Type | Tunnel | Transport; default: Tunnel | Type of connection.
|
| On startup | Ignore | Add | Route | Start; default: Start | Defines how the instance should act on router startup.
|
| My identifier | ip | string; default: none | Defines how the user (IPsec instance) will be identified during authentication. |
| Tunnel: Local IP address/Subnet mask | ip/netmask | default: none | Local IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. If left empty, IP address will be selected automatically. |
| Left firewall | off | on; default: on | Adds neccessary firewall rules to allow traffic of this IPsec instance on this router. |
| Force encapsulation | yes | no; default: no | Forces UDP encapsulation for ESP packets even if a "no NAT" situation is detected. |
| Dead Peer Detection | yes | no; default: no | A function used during Internet Key Exchange (IKE) to detect a "dead" peer. It used to reduce traffic by minimizing the number of messages when the opposite peer in unavailable and as failover mechanism. |
| Dead Peer Detection: Delay (sec) | integer; default: none | The frequency of checking whether a peer is still availaible or not. |
| Dead Peer Detection: Timeout (sec) | integer; default: none | Time limit after which the IPsec instance will stop checking the availability of a peer and determine it to be "dead" if no response is received. |
| Remote VPN endpoint | host | ip; default: none | IP address or hostname of the remote IPsec instance |
| Remote identifier | string | ip; default: none | FQDN or IP address of remote peer. Leave empty for any |
| Tunnel: Remote IP address/Subnet mask | ip/netmask; default: none | Remote network IP address and subnet mask used to determine which part of the network can be accessed in the VPN network. Netmask range [0..32]. This value must differ from the device’s LAN IP |
| Passthrough networks | None | LAN | Wired | WiFi | Mobile | custom; default: none | Select networks which should be passthrough and excluded from routing through tunnel |
| Right firewall | yes | no; default: yes | Adds neccessary firewall rules to allow traffic of from the opposite IPsec instance on this router |
| Allow WebUI access | yes | no; default: no | Allows WebUI access for hosts in the VPN network |
| Compatibility mode | yes | no; default: no | Enable this if multiple subnets do not work with a 3rd party IPsec peer. |
| Custom options | ipsec options; default: none | Provides the possibility to further customize the connection by adding extra IPsec options. |
Additional notes:
- Some configuration fields become available only when certain other parameters are selected. Different color codes are used for different parameters:
- Red for Type: Tunnel
- Purple for Type: Transport
- Blue for Dead Peer Detection: Enabled
- After changing any of the parameters, don't forget to click the Save button located at the bottom-right side of the page.
Phase settings
IKE (Internet Key Exchange) is a protocol used to set up security associations (SAs) for the IPsec connection. This process is required before the IPsec tunnel can be established. It is done in two phases:
| Phase | Mode | |
|---|---|---|
Phase 1
|
Main mode (figure 1)
|
Aggressive mode (figure 2)
|
Phase 2
|
Quick mode
|
|
| Figure 1 | Figure 2 |
| [[File:{{{file_ipsec_main_mode}}}]] | [[File:{{{file_ipsec_aggressive_mode}}}]] |
[[File:{{{file_ipsec_phase}}}]]
| Field | Value | Description |
|---|---|---|
| Encryption algorithm | DES | 3DES | AES128 | AES192 | AES256; default: 3DES | Algorithm used for data encryption. |
| Authentication/Hash algorithm | MD5 | SHA1 | SHA256 | SHA384 | SHA512; default: SHA1 | Algorithm used for exchanging authentication and hash information. |
| DH group/PFS group | MODP768 | MODP1024 | MODP1536 | MODP2048 | MODP3072 | MODP4096; default: MODP1536 | Diffie-Hellman (DH) group used in the key exchange process. Higher group numbers provide more security, but take longer and use more resources to compute the key. |
| Lifetime | integer; default: 8 hours | Defines a time period after which the phase will re-initiate its exchange of information. |
A pre-shared key is a secret password used for authentication between IPsec peers before a secure tunnel is established. During authentication device will try to check if connection matches any Secret's ID selector and then the pre-shared key from the first match will be used.
To create a new key, click the 'Add' button.
The figure below is an example of the Pre-shared keys section and the table below provides information on configuration fields contained in that section:
[[File:{{{file_ipsec_psk}}}]]
| Field | Value | Description |
|---|---|---|
| Pre-shared key | string; default: none | A shared password used for authentication between IPsec peers before a secure channel is established. |
| Secret's ID selector | string; default: none | Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any. NOTE: IKEv1 only supports IP address ID selector. |
