Chapter 12
Tunneling and VPNs
RUGGEDCOM ROX II
CLI User Guide
412 Adding a Connection
!
If no connections have been configured, add connections as needed. For more information, refer to
Section12.8.6.2, “Adding a Connection”.
Section12.8.6.2
Adding a Connection
To add a new connection for a VPN, do the following:
1. Make sure the CLI is in Configuration mode.
2. Add the connection by typing:
tunnel ipsec connection name
Where:
• name is the connection name. If the name is default, this makes it the default setting for all connections.
3. Configure the following parameter(s) as required:
Parameter Description
startup { startup } Synopsis: { ignore, add, start, route, default }
Default: default
The action to take when IPsec is initialized. The default value is 'ignore' unless
overwritten by the default connection setting.
authenticate { authenticate } Synopsis: { default, rsasig, secret }
Default: default
The authentication method. The default value is 'default' unless overwritten by the
default connection setting.
connection-type { connection-type } Synopsis: { tunnel, transport, passthrough, default }
Default: default
The connection type/mode. Options include:
• tunnel: Encrypts traffic on host-to-host, host-to-subnet or subnet-to-subnet tunnels.
This is the default type/mode unless overwritten by the default connection setting.
• transport: Encrypts traffic on a host-to-host tunnel.
• passthrough: Traffic is not encrypted.
address-family { address-family } Synopsis: { ipv4, ipv6 }
Default: ipv4
The address-family to run for the connection. Accepted values include 'ipv4' (default) and
'ipv6'. All addresses used in the connection must have the same address family.
pfs { pfs } Synopsis: { default, yes, no }
Default: default
Enables/disables Perfect Forwarding Secrecy (PFS). When enabled, IPsec negotiates new
keys for each session. If an attacker compromises a key, only the session protected by the
key is revealed. Not all clients support PFS. The default value is 'yes' unless overwritten by
the default connection setting.
keylife { keylife } Synopsis: { default } or a 32-bit unsigned integer between 1081 and 28800
Default: default
The lifetime in seconds for the Security Association (SA) key. This determines how long
a particular instance of a connection should last, from successful negotiation to expiry.
Normally, the connection is renegotiated before it expires. The default value is 28800
unless overwritten by the default connection setting. Peers can specify different lifetime
To Next Page
Loading...
Need help?
General
