260 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F
The following table describes the VPN connection attempt retries and time interval between them. After
giving up as listed below, the unit waits for “failure-retry-interval” and repeats the connection attempt
sequence.
Table 3-19. VPN Connection Retry
Relative Timeout
Between Attempts (secs)
Absolute Timeout
From First Attempt (secs)
Wait for “failure-retry-interval”, then repeat above sequence
During initial configuration set failure-retry-interval to lowest value of 1 min, to have Orbit attempt
connection more quickly. This allows debugging of any connection-related issue by watching logs on
peer side etc. Be sure to change this value to 5 minutes or higher to prevent excessive attempts and traffic.
Commit configuration to save the changes.
% commit
Following shows IKE policy configuration for public-key encryption based authentication method:
Create IKE policy with auth-method “public-key encryption”. 1.
% set services vpn ike policy IKE-POLICY-1 auth-method pub-key
Configure Public Key Infrastructure (PKI) security credentials. 2.
d. Certificate type as “rsa” if RSA public key encryption based certificates are being used.
e. Client certificate ID – This is the ID that was assigned to the client certificate obtained via
SCEP or loaded manually (assumed to be ID-1).
f. Client private key ID – This is the ID that was assigned to the client private key generated
during SCEP procedure or loaded manually (assumed to be ID-1).
g. Certificate Authority (CA) certificate ID – This is the ID that was assigned to the CA certificate
obtained via SCEP or loaded manually (assumed to be CA-1).
% set services vpn ike policy IKE-POLICY-1 pki cert-type rsa
% set services vpn ike policy IKE-POLICY-1 pki cert-id ID-1
% set services vpn ike policy IKE-POLICY-1 pki key-id ID-1
% set services vpn ike policy IKE-POLICY-1 pki ca-cert-id CA-1
Firewall Configuration
The VPN wizard automatically configures the firewall to allow incoming and outgoing IKE/IPsec traffic
over the Cell/WAN interface. However, when VPN is configured manually via Services->VPN->Basic
Config menu or via CLI, the firewall needs to be manually configured as well:
1. Add following rules to IN_UNTRUSTED filter that is applied to the Cell interface in the incoming
direction:
% set services firewall filter IN_UNTRUSTED rule 1 match protocol icmp
To Next Page
Loading...
Need help?
General
