RBMTX-Lite IPsec
Z Elproma Wiki Knowledge Base
The IPSec page of RBMTX-Lite {{{type}}} is used to configure IPSec tunnel.
Tunnels Configuration
In Tunnels Configuration part you can add, edit or delete IPSec tunnel. To add new tunnel use Add button.
Tunnel details
| Name | Value | Description |
|---|---|---|
| Local LAN | ||
| Remote LAN | ||
| Version of IKE to negotiation | IKEv2, IKEv1 or IKEv1 + IKEv2. Default: IKEv2 |
Advanced tunnel configuration
| Name | Value | Description |
|---|---|---|
| crypto_proposal | list | List of ESP (phase two) proposals |
| Local NAT | IPv4 in CIDR format | NAT range for tunnels with overlapping IP addresses |
| startaction | route, start or none | Action on initial configuration load (none, start, route) |
| updown | file | Path to script to run on CHILD_SA up/down events |
| lifetime | Maximum duration of the CHILD_SA before closing (defaults to 110% of rekeytime) | |
| rekeytime | Duration of the CHILD_SA before rekeying | |
| dpdaction | none, clear, hold, restart, trap or start | Action done when DPD timeout occurs |
| closeaction | add, route, start, none or trap | Action done when CHILD_SA is closed |
| if_id | XFRM interface ID set on input and output interfaces (should be coordinated with “ifid” values in route entries on “xfrm” interfaces | |
| priority | integer equal or higher than 0 | Priority of the CHILD_SA |
| ipcomp | On/Off, default: Off | Enable ipcomp compression |
| hw_offload | On/Off, default: Off | Enable H/W offload |
IPSec Configuration
Connection details
| Name | Value | Description |
|---|---|---|
| Remote VPN endpoint | ||
| tunnel | ||
| Enabled | ||
| Authentication method | Pre-shared key or X.509. Default: Pre-shared key | |
| Preshared Key |
Additional settings
| Name | Value | Description |
|---|---|---|
| local gateway | IP address or FQDN of the tunnel local endpoint | |
| local source ip | Virtual IP(s) to request in IKEv2 configuration payloads requests, or in IKEv1 mode config (enables sending them/initiating it instead of quick mode | |
| local ip | Local address(es) to use in IKE negotiation when initiating; for responding, enumerates addresses we can negotiate from (and may by subnets or CIDRs) | |
| local id | Local identifier for IKE (phase 1) | |
| remote id | Remote identifier for IKE (phase 1) | |
| keyingretries | Number of retransmissions to attempt during initial negotiation (default 3) | |
| dpd delay | Liveness interval for IKE (default 30s) | |
| inactivity | Interval before closing an inactive CHILD_SA | |
| fragmentation | yes, accept, force or no. Default: yes | Use IKE fragmentation |
| mobike | Enable MOBIKE on IKEv2 (default = yes) | |
| rekeytime | IKEv2 interval to refresh keying material; also used to compute lifetime | |
| overtime | Limit on time to complete rekeying/reauthentication (defaults to 10% of rekeytime) |
Crypto Proposals
| Name | Value | Description |
|---|---|---|
| Name | string | Name of proposal |
| encryption_method | aes128, aes192, aes256 or 3des | |
| hash_algorithm | md5, sha1, sha2 or 3des | |
| dh_group | modp768, modp1024 or modp2048 | |
| prf_algorithm | prfmd5, prfsha1 or prfsha256 |
