RuggedCom RX1100, RX1000 specs

Chapter 12 – Configuring An IPsec VPN

The At IPsec startup field determines what happens to the connection after Openswan starts and includes the options “Ignore”, “Add connection”, “Start Connection”, “Route” and “Default”. A value of “Ignore” will cause the connection to be ignored. A value of “Add connection” will cause the connection to be established when explicitly started (via command line or the IPsec VPN Configuration menu “Start Connection” button). If “Start connection” is chosen then the connection will be authorized when Openswan is started, but not activated until an incoming request arrives. A value of “Route” will cause a route (and only the route) for packets to be established, discarding packets sent there, which may be preferable to having them sent elsewhere based on a more general route (e.g., a default route).

The Authenticate by fields select the authentication method. If “Default” is selected the value in the “Defaults for all connections” record is used. If “rsasig” or “secret rsasig” is selected then the System's public key of each of the Left System's Settings and Right System's Settings sections must include an RSA signature string or an X. 509 certificate must be in use. If “secret” is selected then the Preshared key menu must contain a key indexed by the Public IPs of the Left and Right systems.

The Encryption Protocols fields select the encryption protocol used. If “Default” is selected the value in the “Defaults for all connections” record is used. If “allow only” is selected, the protocols in “aes256”, “aes192”, “aes128” and “3des”, are included in a list. At connection time the two peers will compare their capabilities and select the strongest common protocol (largest aes over smaller aes and aes over 3des).

The Compress data? fields will select whether data should be compressed. If “Default” is selected the value in the “Defaults for all connections” record is used.

The Perfect Forward Secrecy fields will enable PFS, causing keys to be exchanged in a manner which provides attackers that have compromised a key with no advantage in decoding previously intercepted packets or with subsequent packets. Not all clients support PFS.

RuggedCom

131

Image 133

RuggedCom RX1100, RX1000 manual

Contents

RuggedRouter Ruggedrouter User Guide About this User Guide How To Use This User GuideApplicable Firmware Revision Who Should Use This User Guide Quick Start Recommendations Document Conventions Basic Web Based Configuration Additional Configuration About this User Guide Table Of Contents Table Of Contents RuggedRouter User Guide 100 114 144 Page Table Of Contents Page 241 Page Table Of Figures RuggedRouter Setup Main Menu Scheduled Commands Displaying a Command T1/E1 Network Interfaces After Interface Creation Adsl Link Statistics Show Public Key Link Backup Status 162 Raw Socket Menu IRIGB/IEEE1588 General Configuration menu 230 255 IAS Window Edit Profile 282 Access Methods Setting Up And Administering The RouterAccounts And Password Management Default Configuration RuggedRouter Setup Shell Accessing The RuggedRouter Command PromptConfiguring Passwords From the Console Port Setting The Hostname Configuring IP Address InformationConfiguring Radius Authentication Enabling And Disabling The SSH and Web Server Radius Server Configuration menu Enabling And Disabling The Gauntlet Security Appliance Configuring The Date, Time And Timezone RuggedRouter Hardware Information Menu Displaying Hardware Information Selecting a configuration to reload Restoring a Configuration RuggedRouter Web Interface Using a Web Browser to Access the Web InterfaceSSL Certificate Warnings Structure of the Web Interface RuggedRouter Web Interface Main Menu Window LED Status Panel Using The LED Status Panel LED Name Description Obtaining Chassis Information Webmin Configuration Menu Webmin ConfigurationIP Access Control Change Help Server Ports And Addresses Logging Webmin Configuration Menu, Logging Webmin Configuration Menu, Authentication Authentication Webmin Events Log Webmin Events Log This page intentionally blank Bootup And Shutdown Configuring The System Scheduled Commands Change Password Command Scheduled Commands Displaying a Command Webmin Scheduled Cron Jobs Scheduled Cron Jobs System Time System Hostname Network Configuration Configuring Networking Dummy Interface Core Settings Configured Static Routes Default Route TableRouting And Gateways Manually Entered Static Routes Static Multicast Routing Static Multicast Routing DNS Client End To End BackupHost Addresses Page Current Routing & Interface Table Configuring End To End Backup Ethernet Interface Fundamentals Configuring Ethernet InterfacesVlan Interface Fundamentals LED Designations RuggedRouter Functions Supporting VLANs PPPoE On Native Ethernet Interfaces Fundamentals Ethernet Interfaces Ethernet Editing a Network Interface Editing Currently Active Interfaces Virtual Interfaces Edit Boot Time InterfacesVirtual Lan Interfaces List PPPoE Interfaces PPPoE On Native Ethernet Interfaces Editing a PPPoE Interface Edit PPPoE Interface Current Routes & Interface Table PPP Logs T1/E1 Fundamentals Configuring Frame Relay/PPP And T1/E1Frame Relay Location Of Interfaces And Labeling T1/E1Included With T1E1 Strategy For Creating Interfaces T1/E1 Network Interfaces Naming Of Logical Interfaces Editing a T1/E1 Interface E1 Settings T1 Settings Frame Relay Link Parameters Editing a Logical Interface Frame Relay Frame Relay DLCIs Editing a Logical Interface PPP Link Statistics T1/E1 Statistics Frame Relay Statistics Frame Relay Interface Statistics PPP Link Statistics PPP Interface Statistics T1/E1 Loopback Menu T1/E1 Loopback Upgrading Firmware Upgrading Software T3 Fundamentals Configuring Frame Relay/PPP And T3 T3 Network Interfaces T3 Configuration Edit T3 Interface Editing a T3 Interface T3 Statistics Upgrading Software Page DDS Fundamentals Configuring Frame Relay/PPP DDS Network Interfaces DDS Configuration Edit Logical Interface Frame Relay, single Dlci DDS Link Statistics DDS Statistics Frame Relay And PPP Interface Statistics DDS LoopbackPage PPPoE/Bridged Mode Fundamentals Configuring PPPoE/Bridged Mode OnAdsl Fundamentals PPPoE MTU Issues Authentication, Addresses and DNS ServersBridged Mode Adsl Network Interfaces Adsl ConfigurationEditing a Logical Interface PPPoE Edit Logical Interface Bridged Editing a Logical Interface Bridged Adsl Link Statistics Adsl Statistics Current Routes & Interface Table PPP Mode Fundamentals Configuring PPP and ModemWhen the Modem Connects Modem Fundamentals Modem Main Menu Modem Configuration Blind dial Modem PPP Client Modem PPP Client Connections Modem Incoming Call Logs Modem PPP Server PPP Logs Modem PPP Logs PPP Connection Logs Modem PPP Connection LogsPage Firewall Fundamentals Configuring The FirewallStateless vs Stateful Firewalls Linux netfilter, iptables And The Shoreline Firewall Network Address Translation Port Forwarding Shorewall Quick Setup Zones ShoreWall Terminology And ConceptsInterfaces Policy Hosts Interface Subnet Address Protocol Ports Masquerading And Snat Reject Rules Route Based Virtual Private Networking Configuring The Firewall And VPN Virtual Private Networking To a DMZ Policy Based Virtual Private Networking Starting Shorewall Firewall Menu Firewall Main Menu Shorewall Firewall Menu Network Interfaces Network Zones Editing a Firewall Network Interfaces Firewall Zone Hosts Network Zone Hosts Masquerading Default Policies Editing a Masquerading Rule Firewall Rules Static NAT Static NAT Creating a Static NAT Entry Actions When StoppedPage Page VPN Fundamentals Configuring An IPsec VPNIPsec Modes Policy Vs Route Based VPNs Public Key And Pre-shared Keys Supported Encryption Protocols X509 Certificates Other Configuration Supporting IPSecNAT Traversal VPN Main Menu Before Key Generation Openswan Configuration ProcessVPN Main Menu IPsec and Router InterfacesPage IPsec VPN Configuration After Connections Have Been Created Server Configuration Preshared Keys Public Key VPN Connections List CertificatesIPsec VPN Connection Details Page Export Configuration Left/Right Systems Settings IPsec Status Showing IPsec Status Select a Certificate Authority IPSec X.509 Roaming Client Example Router IPSec Configuration VPN Networking Parameters Client ConfigurationGenerate X.509 Certificates Ethernet Port Configuration Firewall IPSec ConfigurationPage Quagga, RIP and Ospf Configuring Dynamic RoutingRIP Fundamentals Key Ospf And RIP Parameters Ospf FundamentalsLink State Advertisements Network Areas Router-ID Active/Passive Interface DefaultHello Interval and Dead Interval Redistributing Routes Ospf Authentication Configuring Ospf Link CostsRIP Authentication Link Detect Administrative Distances Area And Subnets Ospf And Vrrp Example NetworkVrrp Operation Dynamic Routing Enable Protocols Core Global Parameters CoreCore Interface Parameters View Core Configuration Ospf Global Parameters OspfPage Ospf Interfaces Ospf Interfaces Ospf Network Areas View Ospf ConfigurationOspf Status RIP Global Parameters RIP Global Parameters RIP Key Chains RIP Interfaces RIP Networks RIP Networks RIP Status View RIP ConfigurationPage Link Backup Fundamentals Configuring Link BackupPath Failure Discovery Link Backup Configuration Link Backup Main MenuUse Of Routing Protocols And The Default Route Edit Link Backup Configuration Link Backup Status Link Backup LogsTest Link Backup Page Page Problem With Static Routing Configuring VrrpVrrp Solution Vrrp Fundamentals Vrrp Example Page Vrrp Main Menu Vrrp Configuration Vrrp Instance Editing a Vrrp Instance Vrrp Instances Status Viewing Vrrp Instances Status Traffic Prioritization Fundamentals Configuring Traffic PrioritizationPriority Queues Filters Included With Traffic Prioritization TOS Prioritization Prioritization Example Interface Prioritization Menu Traffic Prioritization Main Menu Prioritization Filters Prioritization QueuesPrioritization Transmit Queue Length Prioritization Statistics Prioritization Statistics GRE Fundamentals Configuring Generic Routing Encapsulation GRE Main Menu GRE Configuration MenuPage Network Utilities Main Menu Network Utilities Traceroute Menu Ping Menu Trace Menu Host MenuTcpdump a Network Interface Serial Trace a Serial Server Port Frame Relay Link Layer Trace a WAN Interface Interface Statistics Menu Interface Statistics Menu Current Routing & Interface Table Current Routing & Interface Table Interface Status Page Serial IP Port Features Configuring Serial Protocols Character Encapsulation Serial Protocols ApplicationsRTU Polling Broadcast RTU Polling Host And Remote Roles Serial Protocols Concepts And IssuesUse Of Port Redirectors Message Packetization Serial Protocols Main Menu Use of Turnaround Delays Assign Protocols Menu Port Settings MenuRawSocket Menu Page Serial Protocols Statistics Menu Protocol Specific Packet Error Statistics Serial Protocols Trace Menu Serial Protocols Trace Menu Is provided Serial Protocols Sertrace UtilityPage IEC61850 Goose Fundamentals Configuring Goose TunnelsLayer 2 Tunnel Daemon Details Layer 2 Tunnels Main Menu Layer 2 Tunnels Main Menu Goose Tunnels Menu General Configuration Menu Activity Trace Menu Goose Statistics MenuPage Page Dhcp Fundamentals Configuring The Dhcp serverDhcp Network Organizations Dhcp Client OptionsPage Option 82 Support with Disable NAK Single Network With Option82 Clients On One Switch Example Dhcp Scenarios And ConfigurationsSingle Network With Dynamic IP Assignment Single Network With Static IP AssignmentPage Page Dhcp Server Menu Dhcp Server Main Menu Dhcp Shared Network Configuration Dhcp Shared Network Configuration Dhcp Subnet Configuration Dhcp Subnet Configuration Dhcp Host Configuration Dhcp Group Configuration Dhcp Pool Configuration Dhcp Pool Configuration NTP Fundamentals Configuring NTP NTP And The Precision Time Protocol Card NTP Sanity LimitIncluded With NTP Generic Options NTP Server Main Menu Peers Configuration Servers Configuration Viewing The NTP Log Viewing The NTP Status Viewing The GPS Log Viewing The GPS Status SSH Fundamentals Configuring SSHIncluded With SSH SSH Server SSH Main Menu Networking Access ControlPage IEEE1588 Fundamentals Configuring Irigb And IEEE1588PTP Network Roles PTP Master Election Synchronizing NTP from IEEE1588 Irigb FundamentalsIrigb Output Formats Reference Clocks GPS Cable compensationHow The Router Selects a Reference Clock IRIGB/IEEE1588 Main Menu General Configuration IEEE1588 Configuration Irigb Configuration IEEE1588 Status Irigb Status Irigb Log Page Snort Fundamentals Configuring The Snort IDSWhich Interfaces To Monitor Snort Rules Snort IDS Main Menu Global ConfigurationPerformance And Resources Rulesets Network SettingsRule Lookup by SID Alerts & Logging PreProcessors Edit Config File Alert System Maintaining The RouterAlert Menu Alert Configuration Menu Alert Configuration Alert Definition Configuration Alert Filter Configuration Change Alert Definition Page What And How Gauntlet Protects Gauntlet SecurityGauntlet And The Firewall Upgrading Gauntlet Gauntlet Status Menu System Backup And Restore Backup And Restore General Configuration Setup Archive History Archive Backup Archive Difference Tool Archive Restore Archive Differences List Show Difference for selected file between two targets Snmp Configuration System Configuration Snmp Configuration Main MenuNetwork Addressing Configuration Access Control page, Snmp V1 and V2c 250 RuggedCom Trap Configuration page, Trap Options Trap Configuration RuggedRouter supports the following MIBs MIB Support Radius Authentication Edit Radius Server Parameters Radius Authentication Configuration Outgoing Mail Parameter Description Chassis Parameters System Logs Syslog Factory Defaults Changing a Syslog entry to remote log Remote Logging RuggedRouter Software Fundamentals Upgrade System Automatic Upgrade When a Software Upgrade Requires a Reboot Change Repository Server Upgrade to RX1100 Upgrading All Packages Automatic Upgrading Pre-upgrade/Post-upgrade scripts Installing a New Package Upload/Download menu Uploading And Downloading Files Security Actions Security ConsiderationsPage Initial Repository Setup Appendix a Setting Up a RepositoryRepository Server Requirements Upgrading The Repository Setting Up The RoutersAn Alternate Approach Upgrading Considerations Appendix B Downgrading Router Software Apache Default Web Appendix C Installing Apache Web Server On WindowsPage Installing IIS Appendix D Installing IIS Web Server On Windows Windows Internet Authentication Service Appendix E Radius Server ConfigurationFreeRadius Edit Profile window, Click Add... button 276 RuggedCom RuggedCom 277 Dhcp Index Goose NTP SSH Vrrp