Changes

Template:Networking rut manual vpn (view source)

Revision as of 10:35, 14 May 2019

4,898 bytes added ,  10:35, 14 May 2019
no edit summary
Line 444: Line 444:  
[[File:{{{file_ipsec_config}}}]]
 
[[File:{{{file_ipsec_config}}}]]
    +
<table class="nd-mantable">
 +
    <tr>
 +
        <th>Field name</th>
 +
      <th>Value</th>
 +
      <th>Description</th>
 +
    </tr>
 +
    <tr>
 +
    <td>Enable</td>
 +
        <td>yes | no; Default: <b>no</b></td>
 +
        <td>Turns the IPsec instance ON or OFF</td>
 +
    </tr>
 +
    <tr>
 +
    <td>IKE version</td>
 +
        <td>IKEv1 | IKEv2; Default: <b>IKEv1</b></td>
 +
        <td>Internet Key Exchange (IKE) version used for key exchange.</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Mode</td>
 +
      <td>Main | Aggressive; Default: <b>Main</b></td>
 +
      <td>Internet Security and Key Management Protocol (ISAKMP) phase 1 exchange mode.
 +
            <ul>
 +
                <li><b>Main</b> - performs three two-way exchanges between the initiator and the receiver (a total of 9 messages). </li>
 +
                <li><b>Aggressive</b> - performs fewer exchanges than main mode (a total of 6 messages) by storing most data into the first exchange. In aggressive mode, the information is exchanged before there is a secure channel, making it less secure but faster than main mode.</li>
 +
            <ul>
 +
        </td>
 +
    </tr>
 +
    <tr>
 +
      <td>Type</td>
 +
      <td>Tunnel | Transport; Default: <b>Tunnel</b></td>
 +
      <td>Type of connection.
 +
            <ul>
 +
                <li><b>Tunnel</b> - protects internal routing information by encapsulating the entire IP packet (IP header and payload); is commonly used in site-to-site VPN connections; supports NAT traversal.</li>
 +
                <li><b>Transport</b> - only encapsulates IP payload data; is use client-to-site VPN connections; does not support NAT traversal; usually implemented with other tunneling protocols (for instance, L2TP).</li>
 +
            </ul>
 +
        </td>
 +
    </tr>
 +
    <tr>
 +
    <td>My identifier type</td>
 +
        <td>Address | FQDN | User FQDN; Default: <b>FQDN</b></td>
 +
        <td></td>
 +
    </tr>
 +
    <tr>
 +
    <td>On startup</td>
 +
        <td>Ignore | Add | Route | Start; Default: <b>Start</b></td>
 +
        <td></td>
 +
    </tr>
 +
    <tr>
 +
    <td>My identifier</td>
 +
        <td>string; Default: <b>none</b></td>
 +
        <td>In case RUT has a Private IP, its identifier should be its own LAN network address. In this way, the Road Warrior approach is possible</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Local IP address/Subnet mask</td>
 +
      <td>ip/netmask | Default: <b>none</b></td>
 +
      <td>Local IP address and subnet mask used to determine which part of the network can be accessed. Netmask range [0..32]. If left empty, IP address will be selected automatically</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Left firewall</td>
 +
      <td>yes | no; Default: <b>yes</b></td>
 +
      <td>Excludes IPsec tunnel from firewall rules</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Force encapsulation</td>
 +
        <td>yes | no; Default: <b>no</b></td>
 +
        <td>Forces UDP encapsulation for ESP packets even if no NAT situation is detected</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Dead Peer Detection</td>
 +
        <td>yes | no; Default: <b>no</b></td>
 +
        <td>The values 'clear', 'hold' and 'restart' all activate DPD</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Remote VPN endpoint</td>
 +
      <td>host | ip; Default: <b>none</b></td>
 +
      <td>IP address or hostname of the remote IPsec instance</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Remote IP address/subnet mask</td>
 +
        <td>ip/netmask; Default: <b>none</b></td>
 +
        <td>Remote network IP address and subnet mask used to determine which part of the network can be accessed. Netmask range [0..32]. This values must differ from the device’s LAN IP</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Right firewall</td>
 +
        <td>yes | no; Default: <b>yes</b></td>
 +
        <td>Excludes remote side IPsec tunnel from firewall rules</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Enable keepalive</td>
 +
      <td>yes | no; Default: <b>no</b></td>
 +
      <td>Toggles the tunnel's keep alive function ON or OFF. When enabled, the instance sends ICMP packets to the specified host at the specified frequency. If no response is received, the instance attempts to restart the connection</td>
 +
    </tr>
 +
    <tr>
 +
      <td>Host</td>
 +
      <td>host | ip; Default: <b>none</b></td>
 +
      <td>Hostname or IP address to which ICMP packets will be sent to. Best to use a hostname/IP address belonging to the opposite instance's LAN</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Ping period (sec)</td>
 +
        <td>integer [0..9999999]; Default: <b>none</b></td>
 +
        <td>The period (in seconds) at which ICMP packets will be sent to the specified keep alive host</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Allow WebUI access</td>
 +
        <td>yes | no; Default: <b>no</b></td>
 +
        <td>Allows WebUI access for hosts from the opposite instance</td>
 +
    </tr>
 +
    <tr>
 +
    <td>Custom options</td>
 +
        <td>ipsec options; Default: <b>none</b></td>
 +
        <td>Provides the possibility to further customize the connection by adding extra IPsec options</td>
 +
    </tr>
 +
</table>
    
===Phase settings===
 
===Phase settings===
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/35510"

Navigation menu