Perle Systems CSS

Network Commands 113

IPsec Commands

Options authentication-method

Specify the authentication method that will be used between VPN peers to authenticate

the VPN tunnel.

Data Options:

zShared Secret—A text-based secret that is used to authenticate the IPsec tunnel

(case sensitive).

zRSA Signature—RSA signatures are used to authenticate the IPsec tunnel. When

using this authentication method, you must download the IPsec RSA public key to

the IOLAN and upload the IPsec RSA public key from the IOLAN to the VPN

gateway.

zX.509 Certificate—X.509 certificates are used to authenticate the IPsec tunnel.

When using this authentication method, you must include the signing authority’s

certificate information in the SSL/TLS CA list and download it to the IOLAN.

The default is shared secret.

boot-action

Determines the state of the VPN network when the IOLAN is booted.

zStart—Starts the VPN network, initiating communication to the remote VPN.

zAdd—Adds the VPN network, but doesn’t initiate a connection to the remote VPN.

zIgnore—Maintains the VPN network configuration, but the VPN network is not

started and cannot be started through the IPsec command option.

When defining peer VPN gateways, one side should be defined as Start (initiate) and

the other as Add (listen). It is invalid to define both gateways as Add. VPN connection

time can take longer when both gateways are set to Start, as both sides will attempt to

initiate the same VPN connection.

The default is start.

local-device

When the VPN tunnel is established, one side of the tunnel is designated as Right and

the other as Left. You are configuring the IOLAN-side of the VPN tunnel. The default

is left.

local-external-ip-address

When NAT Traversal (NAT_T) is enabled, this is IOLAN’s external IPv4 or IPv6

address or FQDN. When the IOLAN is behind a NAT router, this will be its public IP

address.

local-host-nextwork

The IPv4 or IPv6 address of a specific host, or the network address that the IOLAN will

provide a VPN connection to.

local-ip-address

The IPv4 or IPv6 address or FQDN of the IOLAN. You can specify %defaultroute

when the IP address of the IOLAN is not always known (for example, when it gets its

IP address from DHCP). When %defaultroute is used, a default gateway must be

configured in the route table.

local-next-hop

The IPv4 or IPv6 address of the router/gateway that will forward data packets to the

remote VPN (if required). The router/gateway must reside on the same subnet at the

IOLAN. Leave this parameter blank if you want to use the Default Gateway configured

in the IOLAN.