| Line 342: |
Line 342: |
| | [[File:Services vpn ipsec v 2.png]] | | [[File:Services vpn ipsec v 2.png]] |
| | | | |
| − | {| class="wikitable"
| + | <table class="nd-mantable"> |
| − | |+
| + | <tr> |
| − | ! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | FIELD NAME
| + | <th>field name</th> |
| − | ! style="width: 250px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | VALUE
| + | <th>value</th> |
| − | ! style="width: 579px; border: 1px solid white; border-bottom: 2px solid #0054A6; background: white; color: #0054A6; text-align: left;" | DESCRIPTION
| + | <th>description</th> |
| − | |-
| + | </tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable | + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
| + | <td>Enable</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the IPsec instance ON or OFF
| + | <td>yes {{!}} no; Default: '''no'''</td> |
| − | |-
| + | <td>Toggles the IPsec instance ON or OFF</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | IKE version | + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | IKEv1 {{!}} IKEv2; Default: '''IKEv1'''
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Method of key exchange
| + | <td>IKE version</td> |
| − | |- | + | <td>IKEv1 {{!}} IKEv2; Default: '''IKEv1'''</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Mode
| + | <td>Method of key exchange</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Main {{!}} Aggressive; Default: '''Main'''
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ISAKMP phase 1 exchange mode
| + | <tr> |
| − | |-
| + | <td>Mode</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Type | + | <td>Main {{!}} Aggressive; Default: '''Main'''</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Tunnel {{!}} Transport; Default: '''Tunnel'''
| + | <td>ISAKMP phase 1 exchange mode</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Type of connection. <br> '''Tunnel''': protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers. NAT traversal is supported with the tunnel mode. <br> '''Transport''': encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]] (click '''[[L2TP over IPsec|here]]''' for a configuration example on '''L2TP over IPsec''')) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode.
| + | </tr> |
| − | |-
| + | <tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | My identifier type
| + | <td>Type</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Address {{!}} FQDN {{!}} User FQDN; Default: '''FQDN'''
| + | <td>Tunnel {{!}} Transport; Default: '''Tunnel'''</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Type of connection
| + | <td>Type of connection. <br> '''Tunnel''': protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers. NAT traversal is supported with the tunnel mode. <br> '''Transport''': encrypts only the payload and Encapsulating Security Payload (ESP) trailer; so the IP header of the original packet is not encrypted. Transport mode is usually used when another tunneling protocol (such as [[VPN#GRE_Tunnel|GRE]], [[VPN#L2TP|L2TP]] (click '''[[L2TP over IPsec|here]]''' for a configuration example on '''L2TP over IPsec''')) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel packets. NAT traversal is not supported with the transport mode.</td> |
| − | |-
| + | </tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | My identifier
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
| + | <td>My identifier type</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | In case RUT has a Private IP, its identifier should be its own LAN network address. In this way, the Road Warrior approach is possible
| + | <td>Address {{!}} FQDN {{!}} User FQDN; Default: '''FQDN'''</td> |
| − | |-
| + | <td>Type of connection</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Local IP address/Subnet mask
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ip/netmask {{!}} Default: " "
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Local network secure group IP address and mask used to determine at what subnet an IP address can be accessed. Netmask range [0 - 32]. If left empty IP address will be selected automatically
| + | <td>My identifier</td> |
| − | |-
| + | <td>string; Default: " "</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Left firewall | + | <td>In case RUT has a Private IP, its identifier should be its own LAN network address. In this way, the Road Warrior approach is possible</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Excludes IPsec tunnel from firewall rules
| + | <tr> |
| − | |-
| + | <td>Local IP address/Subnet mask</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Force encapsulation
| + | <td>ip/netmask {{!}} Default: " "</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
| + | <td>Local network secure group IP address and mask used to determine at what subnet an IP address can be accessed. Netmask range [0 - 32]. If left empty IP address will be selected automatically</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Forces UDP encapsulation for ESP packets even if no NAT situation is detected
| + | </tr> |
| − | |-
| + | <tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Dead Peer Detection
| + | <td>Left firewall</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
| + | <td>yes {{!}} no; Default: '''yes'''</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The values 'clear', 'hold' and 'restart' all activate DPD
| + | <td>Excludes IPsec tunnel from firewall rules</td> |
| − | |-
| + | </tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Pre-shared key
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | string; Default: " "
| + | <td>Force encapsulation</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | A shared password used for authentication between the peers
| + | <td>yes {{!}} no; Default: '''no'''</td> |
| − | |-
| + | <td>Forces UDP encapsulation for ESP packets even if no NAT situation is detected</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Remote VPN endpoint
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | host {{!}} ip; Default: " "
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | IP address or hostname of the remote IPsec instance
| + | <td>Dead Peer Detection</td> |
| − | |-
| + | <td>yes {{!}} no; Default: '''no'''</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Remote IP address/subnet mask
| + | <td>The values 'clear', 'hold' and 'restart' all activate DPD</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | ip/integer [0..32]; Default: " "
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Remote network secure group IP address and mask used to determine to what subnet an IP address belongs to. Should differ from device’s LAN IP
| + | <tr> |
| − | |-
| + | <td>Pre-shared key</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Right firewall
| + | <td>string; Default: " "</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''yes'''
| + | <td>A shared password used for authentication between the peers</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Excludes remote side IPsec tunnel from firewall rules
| + | </tr> |
| − | |-
| + | <tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Enable keep alive
| + | <td>Remote VPN endpoint</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
| + | <td>host {{!}} ip; Default: " "</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Toggles the tunnel's keep alive function ON or OFF. When enabled, the instance sends ICMP packets to the specified host at the specified frequency. If no response is received, the instance attempts to restart the connection
| + | <td>IP address or hostname of the remote IPsec instance</td> |
| − | |-
| + | </tr> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Host
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | host {{!}} ip; Default: " "
| + | <td>Remote IP address/subnet mask</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Hostname or IP address to which ICMP packets will be sent to. Best to use a hostname/IP address belonging to the opposite instance's LAN
| + | <td>ip/integer [0..32]; Default: " "</td> |
| − | |-
| + | <td>Remote network secure group IP address and mask used to determine to what subnet an IP address belongs to. Should differ from device’s LAN IP</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Ping period (sec)
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | integer [0..9999999]; Default: " "
| + | <tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | The period (in seconds) at which ICMP packets will be sent to the specified keep alive host
| + | <td>Right firewall</td> |
| − | |-
| + | <td>yes {{!}} no; Default: '''yes'''</td> |
| − | ! style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Allow WebUI access
| + | <td>Excludes remote side IPsec tunnel from firewall rules</td> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | yes {{!}} no; Default: '''no'''
| + | </tr> |
| − | | style="border: 1px solid white; border-bottom: 2px solid #E8E8E8; text-align: left; vertical-align: top; background: white;" | Allows WebUI access for hosts from the opposite instance
| + | <tr> |
| − | |-
| + | <td>Enable keep alive</td> |
| − | |}
| + | <td>yes {{!}} no; Default: '''no'''</td> |
| | + | <td>Toggles the tunnel's keep alive function ON or OFF. When enabled, the instance sends ICMP packets to the specified host at the specified frequency. If no response is received, the instance attempts to restart the connection</td> |
| | + | </tr> |
| | + | <tr> |
| | + | <td>Host</td> |
| | + | <td>host {{!}} ip; Default: " "</td> |
| | + | <td>Hostname or IP address to which ICMP packets will be sent to. Best to use a hostname/IP address belonging to the opposite instance's LAN</td> |
| | + | </tr> |
| | + | <tr> |
| | + | <td>Ping period (sec)</td> |
| | + | <td>integer [0..9999999]; Default: " "</td> |
| | + | <td>The period (in seconds) at which ICMP packets will be sent to the specified keep alive host</td> |
| | + | </tr> |
| | + | <tr> |
| | + | <td>Allow WebUI access</td> |
| | + | <td>yes {{!}} no; Default: '''no'''</td> |
| | + | <td>Allows WebUI access for hosts from the opposite instance</td> |
| | + | </tr> |
| | + | </table> |
| | | | |
| | ===Phase 1/Phase 2=== | | ===Phase 1/Phase 2=== |