Szablon: Web ipsec: Różnice pomiędzy wersjami
Z Elproma Wiki Knowledge Base
| Linia 28: | Linia 28: | ||
|} | |} | ||
[[File:web_vpnipsect.png| | [[File:web_vpnipsect.png|400px|border|class=tlt-border]] | ||
===Advanced tunnel configuration=== | ===Advanced tunnel configuration=== | ||
| Linia 122: | Linia 122: | ||
|} | |} | ||
[[File:web_vpnipsecconfc.png| | [[File:web_vpnipsecconfc.png|400px|border|class=tlt-border]] | ||
===Additional settings=== | ===Additional settings=== | ||
| Linia 181: | Linia 181: | ||
|} | |} | ||
[[File:web_vpnipsecconfa.png| | [[File:web_vpnipsecconfa.png|400px|border|class=tlt-border]] | ||
[[Category:{{{model}}} User Manual]] | [[Category:{{{model}}} User Manual]] | ||
Wersja z 12:58, 4 lis 2022
The IPsec page of {{{model}}} router is used to configure IPsec tunnel.
Tunnels Configuration
In Tunnels Configuration part you can add, edit or delete IPsec tunnel. To add new tunnel use Add button.
Tunnel details
| Name | Value | Description |
|---|---|---|
| Local LAN | ||
| Remote LAN | ||
| Version of IKE to negotiation | IKEv2, IKEv1 or IKEv1 + IKEv2. Default: IKEv2 |
Advanced tunnel configuration
| Name | Value | Description |
|---|---|---|
| crypto_proposal | list | List of ESP (phase two) proposals |
| Local NAT | IPv4 in CIDR format | NAT range for tunnels with overlapping IP addresses |
| startaction | route, start or none | Action on initial configuration load (none, start, route) |
| updown | file | Path to script to run on CHILD_SA up/down events |
| lifetime | Maximum duration of the CHILD_SA before closing (defaults to 110% of rekeytime) | |
| rekeytime | Duration of the CHILD_SA before rekeying | |
| dpdaction | none, clear, hold, restart, trap or start | Action done when DPD timeout occurs |
| closeaction | add, route, start, none or trap | Action done when CHILD_SA is closed |
| if_id | XFRM interface ID set on input and output interfaces (should be coordinated with “ifid” values in route entries on “xfrm” interfaces | |
| priority | integer equal or higher than 0 | Priority of the CHILD_SA |
| ipcomp | On/Off, default: Off | Enable ipcomp compression |
| hw_offload | On/Off, default: Off | Enable H/W offload |
IPsec Configuration
Connection details
| Name | Value | Description |
|---|---|---|
| Remote VPN endpoint | ||
| tunnel | ||
| Enabled | ||
| Authentication method | Pre-shared key or X.509. Default: Pre-shared key | |
| Preshared Key |
Additional settings
| Name | Value | Description |
|---|---|---|
| local gateway | IP address or FQDN of the tunnel local endpoint | |
| local source ip | Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/initiating it instead of quick mode | |
| local ip | Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs) | |
| local id | Local identifier for IKE (phase 1) | |
| remote id | Remote identifier for IKE (phase 1) | |
| keyingretries | Number of retransmissions to attempt during initial negotiation (default 3) | |
| dpd delay | Liveness interval for IKE (default 30s) | |
| inactivity | Interval before closing an inactive CHILD_SA | |
| fragmentation | yes, accept, force or no. Default: yes | Use IKE fragmentation |
| mobike | Enable MOBIKE on IKEv2 (default = yes) | |
| rekeytime | IKEv2 interval to refresh keying material; also used to compute lifetime | |
| overtime | Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime) |
[[Category:{{{model}}} User Manual]]