Page 91 / 145 Scroll up to view Page 86 - 90
91
IPsec system maintains two databases: Security Policy Database (SPD) which defines whether to apply IPsec to a
packet or not and specify which/how IPsec-SA is applied and Security Association Database (SAD), which contain Key of
each IPsec-SA.
The establishment of the Security Association (IPsec-SA) between two peers is needed for IPsec communication. It
can be done by using manual or automated configuration.
Note: router starts establishing tunnel when data from router to remote site over tunnel is sent. For automatic
tunnel establishment used tunnel Keep Alive feature.
Field name
Value
Explanation
1.
Enable
Enabled/Disabled
Check box to enable IPSec.
2.
IKE version
IKEv1 or IKEv2
Method of key exchange
3.
Mode
“Main” or
“Aggressive”
ISAKMP (Internet Security Association and Key Management Protocol)
phase 1 exchange mode
4.
My identifier type
Address, FQDN,
User FQDN
Choose one accordingly to your IPSec configuration
5.
My identifier
Set the device identifier for IPSec tunnel.
In case RUT has Private IP, its identifier should be its own LAN network
address. In this way, the Road Warrior approach is possible.
6.
Dead Peer
Enabled/Disabled
The values clear, hold and restart all active DPD
Page 92 / 145
92
Detection
7.
Pre shared key
A shared password to authenticate between the peer
8.
Remote VPN
endpoint
Domain name or IP address. Leave empty or any
9.
IP
address/Subnet
mask
Remote network secure group IP address and mask used to determine to
what subnet an IP address belongs to. Range [0-32]. IP should differ from
device LAN IP
10.
Enable keep alive
Enabled/Disabled
Enable tunnel keep alive function
11.
Host
A host address to which ICMP (Internet Control Message Protocol) echo
requests will be send
12.
Ping period (sec)
Send ICMP echo request every x seconds.
Range [0-999999]
Phase 1
and
Phase 2
must be configured accordingly to the IPSec server configuration, thus algorithms,
authentication and lifetimes of each phase must be identical.
Field name
Value
Explanation
1.
Encryption
algorithm
DES, 3DES, AES 128, AES 192, AES256
The encryption algorithm must match with another
incoming connection to establish IPSec
2.
Authentication
MD5, SHA1, SHA256, SHA384, SHA512
The authentication algorithm must match with another
incoming connection to establish IPSec
3.
Hash algorthm
MD5, SHA1, SHA256, SHA384, SHA512
The hash algorithm must match with another incoming
connection to establish IPSec
4.
DH group
MODP768,
MODP1024, MODP1536,
MODP2048, MODP3072, MODP4096
The
DH
(Diffie-Helman)
group
must
with
another
incoming connection to establish IPSec
4.
PFS group
MODP768,
MODP1024, MODP1536,
MODP2048, MODP3072, MODP4096,
No PFS
The PFS (Perfect Forward Secrecy) group must match with
another incoming connection to establish IPSec
5.
Lifetime
Hours, Minutes, Seconds
The time duration for phase
Page 93 / 145
93
8.5.3
GRE Tunnel
GRE (Generic Routing Encapsulation RFC2784) is a solution for tunneling RFC1812 private address-space traffic
over an intermediate TCP/IP network such as the Internet. GRE tunneling does not use encryption it simply encapsulates
data and sends it over the WAN.
In the example network diagram two distant networks LAN1 and LAN2 are connected.
To create GRE tunnel the user must know the following parameters:
1.
Source and destination IP addresses.
2.
Tunnel local IP address
3.
Distant network IP address and Subnet mask.
Page 94 / 145
94
Field name
Explanation
1.
Enabled
Check the box to enable the GRE Tunnel function.
2.
Remote endpoint IP address
Specify remote WAN IP address.
3.
Remote network
IP address of LAN network on the remote device.
4.
Remote network netmask
Network of LAN network on the remote device. Range [0-32].
5.
Local tunnel IP
Local virtual IP address. Cannot be in the same subnet as LAN network.
6.
Local tunnel netmask
Network of local virtual IP address. Range [0-32]
7.
MTU
Specify the maximum transmission unit (MTU) of a communications protocol of
a layer in bytes.
8.
TTL
Specify the fixed time-to-live (TTL) value on tunneled packets [0-255]. The 0 is a
special value meaning that packets inherit the TTL value.
9.
PMTUD
Check the box to enable the Path Maximum Transmission Unit Discovery
(PMTUD) status on this tunnel.
10.
Enable Keep alive
It gives the ability for one side to originate and receive keep alive packets to and
from a remote router even if the remote router does not support GRE keep
alive.
11.
Keep Alive host
Keep Alive host IP address. Preferably IP address which belongs to the LAN
network on the remote device.
12.
Keep Alive interval
Time interval for Keep Alive. Range [0 - 255].
Page 95 / 145
95
8.5.4
PPTP
Point-to-Point Tunneling Protocol (PPTP) is a protocol (set of communication rules) that allows corporations to
extend their own corporate network through private "tunnels" over the public Internet. Effectively, a corporation uses a
wide-area network as a single large local area network. A company no longer needs to lease its own lines for wide-area
communication but can securely use the public networks. This kind of interconnection is known as a virtual private
network (VPN).
Field name
Explanation
1.
Enable
Check the box to enable the PPTP function.
2.
Local IP
IP Address of this device (RUT)
3.
Remote IP range begin
IP address leases beginning
4.
Remote IP range end
IP address leases end
5.
Username
Username to connect to PPTP (this) server
6.
Password
Password to connect to PPTP server
7.
User IP
Users IP address

Rate

4 / 5 based on 3 votes.

Popular Teltonika Models

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top