RUGGEDCOM ROX II
CLI User Guide
Chapter 12
Tunneling and VPNs
IPsec and Router Interfaces 407
Section12.8.1.7
IPsec and Router Interfaces
If IPsec works on an interface which could disappear, such as a PPP connection, or if the IP address could change,
the Monitor Interface option must be set for the IPsec connection. When this option is set, IPsec will restart when
the interface disappears and reappears, or the IP address is changed.
The Monitor Interface option is set on the Connection form available for each connection. For more information
about connections, refer to Section12.8.6, “Managing Connections”.
Section12.8.2
Configuring IPsec Tunnels
To configure IPsec tunnels, do the following:
NOTE
RUGGEDCOM ROX II supports the creation of policy-based VPNs, which can be characterized as follows:
• No IPsec network interfaces have been created.
• The routing table is not involved in directing packets to IPsec.
• Only data traffic matching the tunnel's local and remote subnets is forwarded to the tunnel. Normal
traffic is routed by one set of firewall rules and VPN traffic is routed based on separate rules.
• The firewall is configured with a VPN zone of type ipsec.
• As IPsec packets are received, they are decoded, flagged as IPsec-encoded, and presented as having
arrived directly from the same network interface on which they were originally received.
• Firewall rules are written to allow traffic to and from VPN tunnels. These are based on the normal
form of source/destination IP addresses, and IP protocol and port numbers. These rules, by virtue of
the zones they match, use the policy flags inserted by the netkey to route matching data traffic to the
proper interface.
For more information about configuring a policy-based VPN, refer to Section6.9, “Managing Firewalls”.
1. Make sure the CLI is in Configuration mode.
2. Navigate to tunnel» ipsec and configure the following parameter(s) as required:
Parameter Description
enabled Enables IPsec.
nat-traversal This parameter is not supported and any value is ignored by the system. nat-traversal is
always enabled in the IPSec VPN system.
keep-alive { keep-alive } Synopsis: A 32-bit unsigned integer between 1 and 86400
Default: 20
The delay (in seconds) for sending keepalive packets to prevent a NAT router from
closing its port when there is not enough traffic on the IPsec connection.
3. Configure one or more pre-shared keys. For more information, refer to Section12.8.5.2, “Adding a Pre-Shared
Key”.
4. Configure one or more encrypted connections. For more information, refer to Section12.8.6.2, “Adding a
Connection”.
5. Type commit and press Enter to save the changes, or type revert and press Enter to abort.
To Next Page
Loading...
Need help?
General
