56

OpenVPN

VPN (Virtual Private Network)

is a method for secure data transfer through unsafe public network. This section explains

how to configure OpenVPN, which is implementation of VPN supported by the RUT500 router.

A picture above demonstrates default OpenVPN configurations list, which is empty, so you have to define a new

configuration to establish any sort of OpenVPN connection. To create it, enter desired configuration name in

“New

configuration name”

field, select device role from

“Role”

drop down list. For example, to create a OpenVPN client with

configuration name Demo, select client role, name it “Demo” and press

“Add New”

button as shown in the following

picture.

A new configuration entry has appeared in the list and it is populated with default OpenVPN client settings.

(You could select a server in previous step to create server default configuration).

57

To see at specific configuration settings press

“edit”

button located in newly created configuration entry. A new page

with detailed configuration appears, as shown in the picture below.

You can set custom settings here according to your VPN needs.

Below is summary of parameters available to set:

Field name

Explanation

1.

Enabled

Switches configuration on and off. This must be selected to make configuration active.

2.

TUN/TAP

Selects virtual VPN interface type. TUN is most often used in typical IP-level VPN connections,

however, TAP is required to some Ethernet bridging configurations.

3.

Protocol

Defines a transport protocol used by connection. You can choose here between TCP and UDP.

4.

Port

defines TCP or UDP port number (make sure, that this port allowed by firewall).

5.

LZO

This setting enables LZO compression. With LZO compression, your VPN connection will

generate less network traffic; however, this means higher router CPU loads. Use it carefully

with high rate traffic or low CPU resources.

6.

Authentication

Sets authentication mode, used to secure data sessions. Two possibilities you have here:

“Static” means, that OpenVPN client and server will use the same secret key, which must be

uploaded to the router using “Static pre

-

shared key” option. “Tls” authentication mode uses

X.509 type certificates. Depending on your selected OpenVPN mode (client or server) you have

to upload these certificates to the router:

For client:

Certificate Authority (CA), Client certificate, Client key.

For server:

Certificate Authority (CA), Server certificate, Server key and Diffie-Hellman (DH)

certificate used to key exchange through unsafe data networks.

All mention certificates can be generated using OpenVPN or OpenSSL utilities on any type host

machine. Certificate generation and theory is out of scope of this user manual.

7.

Remote host IP

address

IP address of OpenVPN server (applicable only for client configuration).

8.

Resolve Retry

Sets time in seconds to try resolve server hostname periodically in case of first resolve failure

before generating service exception.

9.

Keep alive

Defines two time intervals: one is used to periodically send ICMP request to OpenVPN server,

58

and another one defines a time window, which is used to restart OpenVPN service, if no ICPM

request is received during the window time slice.

10.

Local tunnel

endpoint

IP address of virtual local network interface (applicable only for point to point connections).

11.

Remote tunnel

endpoint

IP address of virtual remote network interface.

12.

Remote

network IP

address

IP address of remote virtual network.

13.

Remote

network IP

netmask

Subnet mask of remote virtual network.

After setting any of these parameters press

“Save”

button. Some of selected parameters will be shown in the

configuration list table. You should also be aware of the fact that router will launch separate OpenVPN service for every

configuration entry (if it is defined as active, of course) so the router has ability to act as server and client at the same

time.

IPsec

The IPsec protocol client enables the router to establish a secure connection to an IPsec peer via the Internet. IPsec is

supported in two modes - transport and tunnel. Transport mode creates secure point to point channel between two

hosts. Tunnel mode can be used to build a secure connection between two remote LANs serving as a VPN solution.

IPsec system maintains two databases: Security Policy Database (SPD) which defines whether to apply IPsec to a packet

or not and specify which/how IPsec-SA is applied and Security Association Database (SAD), which contain Key of each

IPsec-SA.

The establishment of the Security Association (IPsec-SA) between two peers is needed for IPsec communication. It can

be done by using manual or automated configuration.

Note: router starts establishing tunnel when data from router to remote site over tunnel is sent. For automatic tunnel

establishment used tunnel keep alive feature.

59

Automatic IPSec Key exchange

Field name

Description

1.

Enable IPSec

Check box to enable IPSec.

2.

IPSec key exchange mode

Automatic Key exchange.

3.

Enable NAT traversal

Enable this function if client-to-client applications will be used.

4.

Enable initial contact

Enable this to send an INITIAL-CONTACT message.

5.

Peers identifier type

Choose “fqdn” or “user fqdn” accordingly to your IPSec server configuration.

6.

Mode

Select “Main” or “Aggressive” mode accordingly to your IPSec server

configuration.

7.

My identifier

Set the device identifier for IPSec tunnel.

8.

Preshare key

specify the authentication secret [string]. Secret’s length depends on selected

algorithm, eg. 128 bit long secret is 16 characters in length, 128 bits / 8 bits

(one character) = 16.

9.

Remote VPN Endport

set remote IPSec server IP address.

60

Phase 1

and

Phase 2

must be configured accordingly to the IPSec server configuration.

Remote Network Secure Group

–

Set the remote network (Secure Policy Database) information.

Field name

Explanation

1.

Tunnel keep alive

Allows sending ICMP echo request (ping utility) to the remote tunnel network. This

function may be used to automatically start the IPSec tunnel.

2.

Ping IP address

Enter IP address to which ICMP echo requests will be sent.

3.

Ping period (seconds)

Set sent ICMP request period in seconds.

GRE Tunnel

GRE (Generic Routing Encapsulation RFC2784) is a solution for tunneling RFC1812 private address-space traffic over an

intermediate TCP/IP network such as the Internet. GRE tunneling does not use encryption it simply encapsulates data

and sends it over the WAN.