Line 32: |
Line 32: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # '''''Enable''''' instance | + | # '''''Enable''''' instance; |
− | # Authentication method - '''''Pre-shared key''''' | + | # Authentication method - '''''Pre-shared key;''''' |
− | # Pre-shared key - '''''your desired password''''' | + | # Pre-shared key - '''''your desired password;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 49: |
Line 49: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # Mode - '''Start'''; | + | # Mode - '''''Start;''''' |
− | # Type - '''Tunnel'''; | + | # Type - '''''Tunnel;''''' |
− | # Local subnet - '''0.0.0.0/.0'''; | + | # Local subnet - '''''0.0.0.0/.0;''''' |
− | # Key exchange - '''IKEv2'''; | + | # Key exchange - '''''IKEv2;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 65: |
Line 65: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # '''Enable''' Local firewall; | + | # '''''Enable''''' '''''Local firewall;''''' |
− | # Remote source IP - '''10.20.30.0/24'''; | + | # Remote source IP - '''''10.20.30.0/24;''''' |
− | # Remote DNS '''9.9.9.9'''; | + | # Remote DNS '''''9.9.9.9;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 82: |
Line 82: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # Encryption - '''AES256'''; | + | # Encryption - '''''AES256;''''' |
− | # Authentication - '''SHA512'''; | + | # Authentication - '''''SHA512;''''' |
− | # DH group - '''ECP521'''; | + | # DH group - '''''ECP521;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 97: |
Line 97: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # Encryption - '''AES128'''; | + | # Encryption - '''''AES128;''''' |
− | # Authentication - '''SHA256'''; | + | # Authentication - '''''SHA256;''''' |
− | # DH group - '''ECP521'''; | + | # DH group - '''''ECP521;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 115: |
Line 115: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # '''Enable''' instance; | + | # '''''Enable''''' instance; |
− | # Remote endpoint - '''RUT1 public IP'''; | + | # Remote endpoint - '''''RUT1 public IP;''''' |
− | # Authentication method - '''Pre-shared key'''; | + | # Authentication method - '''''Pre-shared key;''''' |
− | # Pre-shared key - the '''same password''' you have '''set on''' '''RUT1''' when configuring '''HUB instance'''; | + | # Pre-shared key - the '''''same password''''' you have '''''set on''''' '''''RUT1''''' when configuring '''''HUB instance;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 133: |
Line 133: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # Mode - '''Start'''; | + | # Mode - '''''Start;''''' |
− | # Type - '''Tunnel'''; | + | # Type - '''''Tunnel;''''' |
− | # '''Enabled''' '''default route'''; | + | # '''''Enable''''' '''''default route;''''' |
− | # Key exchange - '''IKEv2'''; | + | # Key exchange - '''''IKEv2;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 150: |
Line 150: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # Encryption - '''AES256'''; | + | # Encryption - '''''AES256;''''' |
− | # Authentication - '''SHA512'''; | + | # Authentication - '''''SHA512;''''' |
− | # DH group - '''ECP521'''; | + | # DH group - '''''ECP521;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
Line 165: |
Line 165: |
| <tr> | | <tr> |
| <td style="border-bottom: 4px solid white> | | <td style="border-bottom: 4px solid white> |
− | # Encryption - '''AES128'''; | + | # Encryption - '''''AES128;''''' |
− | # Authentication - '''SHA256'''; | + | # Authentication - '''''SHA256;''''' |
− | # DH group - '''ECP521'''; | + | # DH group - '''''ECP521;''''' |
| </td> | | </td> |
| </tr> | | </tr> |
| </table> | | </table> |
| + | |
| + | ==Testing configuration== |
| + | After we establish the tunnel, we may observe the following information: |
| + | ===RUT1 (HUB) side=== |
| + | ---- |
| + | Using the <pre>ipsec statusall</pre> command we can see that the tunnel has been established. |
| + | |
| + | <pre> |
| + | root@Teltonika-RUTX12:~# ipsec statusall |
| + | Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.4.231, armv7l): |
| + | uptime: 74 minutes, since Mar 21 08:52:39 2023 |
| + | worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 |
| + | loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic |
| + | Virtual IP pools (size/online/offline): |
| + | 10.20.30.0/24: 254/1/0 |
| + | Listening IP addresses: |
| + | 84.xxx.xxx.xxx |
| + | 192.168.11.1 |
| + | fd93:51e6:6fe8::1 |
| + | Connections: |
| + | HUB-HUB_c: %any...%any IKEv2 |
| + | HUB-HUB_c: local: uses pre-shared key authentication |
| + | HUB-HUB_c: remote: uses pre-shared key authentication |
| + | HUB-HUB_c: child: 0.0.0.0/0 === dynamic TUNNEL |
| + | Security Associations (1 up, 0 connecting): |
| + | HUB-HUB_c[2]: ESTABLISHED 74 minutes ago, 84.xxx.xxx.xxx[84.xxx.xxx.xxx]...88.xxx.xxx.xxx[192.168.86.197] |
| + | HUB-HUB_c[2]: IKEv2 SPIs: ded11f31c20352dc_i 58ebc8d96264c21e_r*, pre-shared key reauthentication in 89 minutes |
| + | HUB-HUB_c[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521 |
| + | HUB-HUB_c{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c27cb140_i c7382615_o |
| + | HUB-HUB_c{3}: AES_CBC_128/HMAC_SHA2_256_128/ECP_521, 215536 bytes_i (1981 pkts, 1s ago), 126021 bytes_o (499 pkts, 1s ago), rekeying in 14 minutes |
| + | HUB-HUB_c{3}: 0.0.0.0/0 === 10.20.30.1/32 |
| + | </pre> |
| | | |
| == See also == | | == See also == |
| | | |
| == External links == | | == External links == |