Manuals / Allied Telesis / Computer Equipment / Network Router

Allied Telesis AT-WR4500 manual Remote Peer Statistics, Submenu level /ip ipsec remote-peers

Models: AT-WR4500

1 264
Download 264 pages 44.79 Kb
Page 192
Image 192

192

AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers

 

RouterOS v3 Configuration and User Guide

 

 

lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be discarded after this time

nat-traversal(yes no; default: no) - use Linux NAT-T mechanism to solve IPsec incompatibility with NAT routers inbetween IPsec peers. This can only be used with ESP protocol (AH is not supported by design, as it signes the complete packet, including IP header, which is changed by NAT, rendering AH signature invalid). The method encapsulates IPsec ESP traffic into UDP streams in order to overcome some minor issues that made ESP incompatible with NAT

proposal-check(multiple choice: claim exact obey strict; default: strict) - phase 2 lifetime check logic:

claim - take shortest of proposed and configured lifetimes and notify initiator about it exact - require lifetimes to be the same

obey - accept whatever is sent by an initiator

strict - if proposed lifetime is longer than the default then reject proposal otherwise accept proposed lifetime

remote-certificate(name) - name of a certificate for authenticating the remote side (validating packets; no private key required). Only needed if RSA signature authentication method is used

secret (text; default: "") - secret string (in case pre-shared key authentication is used). If it starts with '0x', it is parsed as a hexadecimal value

send-initial-contact(yes no; default: yes) - specifies whether to send initial IKE information or wait for remote side

￿

AES (Advanced Encryption Standard) encryption algorithms are much faster than DES, so it is recommended to use this algorithm class whenever possible. But, AES's speed is also its drawback as it potentially can be cracked faster, so use AES-256 when you need security or AES-128 when speed is also important. Both peers MUST have the same encryption and authentication algorithms, DH group and exchange mode. Some legacy hardware may support only DES and MD5.You should set generate- policy flag to yes only for trusted peers, because there is no verification done for the established policy. To protect yourself against possible unwanted events, add policies with action=none for all networks you don't want to be encrypted at the top of policy list. Since dynamic policies are added at the bottom of the list, they will not be able to override your configuration. Alternatively you can use policy priorities to enforce some policies to be active always.

Example

To define new peer configuration for 10.0.0.147 peer with secret=gwejimezyfopmekun:

[admin@WiFi] ip ipsec peer>add address=10.0.0.147/32 \ \... secret=gwejimezyfopmekun

[admin@WiFi] ip ipsec peer> print Flags: X - disabled

0address=10.0.0.147/32:500 secret="gwejimezyfopmekun" generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0

[admin@WiFi] ip ipsec peer>

8.8.4 Remote Peer Statistics

Submenu level: /ip ipsec remote-peers

Description

This submenu provides you with various statistics about remote peers that currently have established phase 1 connections with this router. Note that if peer doesn't show up here, it doesn't mean that no IPsec traffic is being exchanged with it. For example, manually configured SAs will not show up here.

Property Description

local-address(read-only: IP address) - local ISAKMP SA address

Page 191 Page 193
Page 192
Image 192
Allied Telesis AT-WR4500 manual Remote Peer Statistics, Submenu level /ip ipsec remote-peers
Page 191 Page 193