AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

191

RouterOS v3 Configuration and User Guide

 

 

 

Example

To add a policy to encrypt all the traffic between two hosts (10.0.0.147 and 10.0.0.148), we need do the following:

[admin@WiFi] ip ipsec policy> add sa-src-address=10.0.0.147 \ \... sa-dst-address=10.0.0.148 action=encrypt [admin@WiFi] ip ipsec policy> print

Flags: X - disabled, D - dynamic, I - inactive

0src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=10.0.0.147 sa-dst-address=10.0.0.148 proposal=default

manual-sa=none priority=0 [admin@WiFi] ip ipsec policy>

to view the policy statistics, do the following:

[admin@WiFi] ip ipsec policy> print stats Flags: X - disabled, D - dynamic, I - invalid

0src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=all ph2-state=no-phase2 in-accepted=0 in-dropped=0 out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0 not-decrypted=0

[admin@WiFi] ip ipsec policy>

8.8.3 Peers

Submenu level: /ip ipsec peer

Description

Peer configuration settings are used to establish connections between IKE daemons (phase 1 configuration). This connection then will be used to negotiate keys and algorithms for SAs.

Property Description

address (IP address/netmask:port; default: 0.0.0.0/32:500) - address prefix. If remote peer's address matches this prefix, then this peer configuration is used while authenticating and establishing phase 1. If several peer's addresses matches several configuration entries, the most specific one (i.e. the one with largest netmask) will be used

auth-method(pre-shared-key rsa-signature; default: pre-shared-key) - authentication method pre-shared-key- authenticate by a password (secret) string shared between the peers rsa-signature- authenticate using a pair of RSA certificates

certificate (name) - name of a certificate on the local side (signing packets; the certificate must have private key). Only needed if RSA signature authentication method is used

dh-group(multiple choice: ec2n155 ec2n185 modp768 modp1024 modp1536; default: modp1024) - Diffie-Hellman group (cipher strength)

enc-algorithm(multiple choice: des 3des aes-128 aes-192 aes-256; default: 3des) - encryption algorithm. Algorithms are named in strength increasing order

exchange-mode(multiple choice: main aggressive base; default: main) - different ISAKMP phase 1 exchange modes according to RFC 2408. Do not use other modes then main unless you know what you are doing

generate-policy(yes no; default: no) - allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time

hash-algorithm(multiple choice: md5 sha1; default: md5) - hashing algorithm. SHA (Secure Hash Algorithm) is stronger, but slower

lifebytes (integer; default: 0) - phase 1 lifetime: specifies how much bytes can be transferred before SA is discarded

0 - SA expiration will not be due to byte count excess

Page 190 Page 192
Page 191
Image 191
Allied Telesis AT-WR4500 manual Peers, To view the policy statistics, do the following, Submenu level /ip ipsec peer
Page 190 Page 192
Top Page Image Contents