Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
configuration:ipsec [2020/06/30 06:25] dodenhoeft |
configuration:ipsec [2020/06/30 06:50] dodenhoeft [Network setup] |
||
|---|---|---|---|
| Line 54: | Line 54: | ||
| ===== Network setup ===== | ===== Network setup ===== | ||
| - | For this configuration we will use the most common mode, __**the tunnel mode**__. | + | For this configuration we will use the most common mode, __**the tunnel mode**__. For this example we are using PSK as authentification method. |
| {{:configuration:ipsec1.png|}} | {{:configuration:ipsec1.png|}} | ||
| Line 91: | Line 91: | ||
| |Authentication algorithm|SHA256|Authentication algorithm|SHA256| | |Authentication algorithm|SHA256|Authentication algorithm|SHA256| | ||
| |SA life time|28800 sec|SA life time|28800 sec| | |SA life time|28800 sec|SA life time|28800 sec| | ||
| - | |Perfect forward secrecy (PFS)| - |Perfect forward secrecy (PFS)| - | | + | |Perfect forward secrecy (PFS)|disable|Perfect forward secrecy (PFS)|disable| |
| |Force encapsulation|enable|Force encapsulation|enable| | |Force encapsulation|enable|Force encapsulation|enable| | ||
| ^Networks^Parameter^Networks^Parameter^ | ^Networks^Parameter^Networks^Parameter^ | ||
| Line 98: | Line 98: | ||
| |Remote network|192.168.2.0|Remote network|192.168.1.0| | |Remote network|192.168.2.0|Remote network|192.168.1.0| | ||
| |Remote netmask|24|Remote netmask|24| | |Remote netmask|24|Remote netmask|24| | ||
| + | |||
| + | All necessary firewall rules for the IPsec functionality will be set automatically, with the enable of the IPsec service. | ||
| - | ==== SideB ==== | ||
| - | ^Local WAN^Remote WAN^ | ||
| - | |10.10.10.2|10.10.10.1| | ||
| - | ^General^Parameter^ | ||
| - | |Remote peer address|10.10.10.1| | ||
| - | ^Dead Peer Detection(DPD)^Parameter^ | ||
| - | |Detection cycle|30 sec| | ||
| - | |Failure threshold|3| | ||
| - | |Action|hold| | ||
| - | ^Authentication^Parameter^ | ||
| - | |Key exchange|IKEv2| | ||
| - | |Authentication type|pre shared key| | ||
| - | |PSK|"TopSecret01"| | ||
| - | |Local ID type|FQDN| | ||
| - | |Local ID|"sideB"| | ||
| - | |Peer ID type|FQDN| | ||
| - | |Peer ID|"sideA"| | ||
| - | ^IKE Proposal - Phase1^Parameter^ | ||
| - | |Negotiation mode|aggressive| | ||
| - | |Encryption algorithm|AES256| | ||
| - | |Authentication algorithm|SHA256| | ||
| - | |Diffie-Hellman group|Group14(modp2048)| | ||
| - | |Pseudo-random function|undefined| | ||
| - | |SA life time|86400 sec| | ||
| - | ^IPsec Proposal - Phase2^Parameter^ | ||
| - | |Encapsulation mode|Tunnel| | ||
| - | |IPsec protocol|ESP| | ||
| - | |Encryption algorithm|AES256| | ||
| - | |Authentication algorithm|SHA256| | ||
| - | |SA life time|28800 sec| | ||
| - | |Perfect forward secrecy (PFS)| - | | ||
| - | |Force encapsulation|enable| | ||
| - | ^Networks^Parameter^ | ||
| - | |Local network|192.168.2.0| | ||
| - | |Local netmask|24| | ||
| - | |Remote network|192.168.1.0| | ||
| - | |Remote netmask|24| | ||
| - | All necessary firewall rules for the IPsec functionality will be set automatically, with the enable of the IPsec service. | ||
| ===== Server mode ===== | ===== Server mode ===== | ||