1. Home
    2. /
  2. Manuals
    3. /
  3. Teltonika
    4. /
  4. RUT500
    5. /
  5. 12
Page 56 / 68 Scroll up to view Page 51 - 55
56
OpenVPN
VPN (Virtual Private Network)
is a method for secure data transfer through unsafe public network. This section explains
how to configure OpenVPN, which is implementation of VPN supported by the RUT500 router.
A picture above demonstrates default OpenVPN configurations list, which is empty, so you have to define a new
configuration to establish any sort of OpenVPN connection. To create it, enter desired configuration name in
“New
configuration name”
field, select device role from
“Role”
drop down list. For example, to create a OpenVPN client with
configuration name Demo, select client role, name it “Demo” and press
“Add New”
button as shown in the following
picture.
A new configuration entry has appeared in the list and it is populated with default OpenVPN client settings.
(You could select a server in previous step to create server default configuration).
Page 57 / 68
57
To see at specific configuration settings press
“edit”
button located in newly created configuration entry. A new page
with detailed configuration appears, as shown in the picture below.
You can set custom settings here according to your VPN needs.
Below is summary of parameters available to set:
Field name
Explanation
1.
Enabled
Switches configuration on and off. This must be selected to make configuration active.
2.
TUN/TAP
Selects virtual VPN interface type. TUN is most often used in typical IP-level VPN connections,
however, TAP is required to some Ethernet bridging configurations.
3.
Protocol
Defines a transport protocol used by connection. You can choose here between TCP and UDP.
4.
Port
defines TCP or UDP port number (make sure, that this port allowed by firewall).
5.
LZO
This setting enables LZO compression. With LZO compression, your VPN connection will
generate less network traffic; however, this means higher router CPU loads. Use it carefully
with high rate traffic or low CPU resources.
6.
Authentication
Sets authentication mode, used to secure data sessions. Two possibilities you have here:
“Static” means, that OpenVPN client and server will use the same secret key, which must be
uploaded to the router using “Static pre
-
shared key” option. “Tls” authentication mode uses
X.509 type certificates. Depending on your selected OpenVPN mode (client or server) you have
to upload these certificates to the router:
For client:
Certificate Authority (CA), Client certificate, Client key.
For server:
Certificate Authority (CA), Server certificate, Server key and Diffie-Hellman (DH)
certificate used to key exchange through unsafe data networks.
All mention certificates can be generated using OpenVPN or OpenSSL utilities on any type host
machine. Certificate generation and theory is out of scope of this user manual.
7.
Remote host IP
address
IP address of OpenVPN server (applicable only for client configuration).
8.
Resolve Retry
Sets time in seconds to try resolve server hostname periodically in case of first resolve failure
before generating service exception.
9.
Keep alive
Defines two time intervals: one is used to periodically send ICMP request to OpenVPN server,
Page 58 / 68
58
and another one defines a time window, which is used to restart OpenVPN service, if no ICPM
request is received during the window time slice.
10.
Local tunnel
endpoint
IP address of virtual local network interface (applicable only for point to point connections).
11.
Remote tunnel
endpoint
IP address of virtual remote network interface.
12.
Remote
network IP
address
IP address of remote virtual network.
13.
Remote
network IP
netmask
Subnet mask of remote virtual network.
After setting any of these parameters press
“Save”
button. Some of selected parameters will be shown in the
configuration list table. You should also be aware of the fact that router will launch separate OpenVPN service for every
configuration entry (if it is defined as active, of course) so the router has ability to act as server and client at the same
time.
IPsec
The IPsec protocol client enables the router to establish a secure connection to an IPsec peer via the Internet. IPsec is
supported in two modes - transport and tunnel. Transport mode creates secure point to point channel between two
hosts. Tunnel mode can be used to build a secure connection between two remote LANs serving as a VPN solution.
IPsec system maintains two databases: Security Policy Database (SPD) which defines whether to apply IPsec to a packet
or not and specify which/how IPsec-SA is applied and Security Association Database (SAD), which contain Key of each
IPsec-SA.
The establishment of the Security Association (IPsec-SA) between two peers is needed for IPsec communication. It can
be done by using manual or automated configuration.
Note: router starts establishing tunnel when data from router to remote site over tunnel is sent. For automatic tunnel
establishment used tunnel keep alive feature.
Page 59 / 68
59
Automatic IPSec Key exchange
Field name
Description
1.
Enable IPSec
Check box to enable IPSec.
2.
IPSec key exchange mode
Automatic Key exchange.
3.
Enable NAT traversal
Enable this function if client-to-client applications will be used.
4.
Enable initial contact
Enable this to send an INITIAL-CONTACT message.
5.
Peers identifier type
Choose “fqdn” or “user fqdn” accordingly to your IPSec server configuration.
6.
Mode
Select “Main” or “Aggressive” mode accordingly to your IPSec server
configuration.
7.
My identifier
Set the device identifier for IPSec tunnel.
8.
Preshare key
specify the authentication secret [string]. Secret’s length depends on selected
algorithm, eg. 128 bit long secret is 16 characters in length, 128 bits / 8 bits
(one character) = 16.
9.
Remote VPN Endport
set remote IPSec server IP address.
Page 60 / 68
60
Phase 1
and
Phase 2
must be configured accordingly to the IPSec server configuration.
Remote Network Secure Group
Set the remote network (Secure Policy Database) information.
Field name
Explanation
1.
Tunnel keep alive
Allows sending ICMP echo request (ping utility) to the remote tunnel network. This
function may be used to automatically start the IPSec tunnel.
2.
Ping IP address
Enter IP address to which ICMP echo requests will be sent.
3.
Ping period (seconds)
Set sent ICMP request period in seconds.
GRE Tunnel
GRE (Generic Routing Encapsulation RFC2784) is a solution for tunneling RFC1812 private address-space traffic over an
intermediate TCP/IP network such as the Internet. GRE tunneling does not use encryption it simply encapsulates data
and sends it over the WAN.

Rate

4 / 5 based on 3 votes.

Popular Teltonika Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top