virtual access GW1000M Series

To Next Page

To Previous Page

26: Configuring IPSec

_______________________________________________________________________________________________________

_____________________________________________________________________________________________________

GW1000 Series User Manual

Issue: 1.9 Page 237 of 350

Web: ESP algorithm

UCI: strongswan.@connection[X].esp

Opt: esp

Specifies the esp algorithm to use.

The format is: encAlgo | authAlgo | DHGroup

encAlgo:

3des

aes128

aes256

serpent

twofish

blowfish

authAlgo:

md5

sha

sha2

DHGroup:

modp1024

modp1536

modp2048

modp3072

modp4096

modp6144

modp8192

For example, a valid encryption algorithm is:

aes128-sha-modp1536.

If no DH group is defined then PFS is disabled.

Web: WAN Interface

UCI: strongswan.@connection[X].waniface

Opt: waniface

This is a space separated list of the WAN interfaces the router

will use to establish a tunnel with the secure gateway.

On the web, a list of the interface names is automatically

generated. If you want to specify more than one interface use

the “custom” value.

Example: If you have a 3G WAN interface called ‘wan and a

WAN ADSL interface called ‘dsl’ and wanted to use one of these

interfaces for this IPSec connection, you would use: ‘wan adsl’.

Web: IKE Life Time

UCI: strongswan.@connection[X].ikelifetime

Opt:ikelifetime

Specifies how long the keyring channel of a connection (ISAKMP

or IKE SA) should last before being renegotiated.

Timespec

1d, 3h, 25m, 10s.

Web: Key Life

UCI: strongswan.@connection[X].keylife

Opt: keylife

Specifies how long a particular instance of a connection (a set of

encryption/authentication keys for user packets) should last,

from successful negotiation to expiry.

Normally, the connection is renegotiated (via the keying

channel) before it expires (see rekeymargin).

Timespec

1d, 1h, 25m, 10s.

Web: Rekey Margin

UCI:

strongswan.@connection[X].rekeymargin

Opt: rekeymargin

Specifies how long before connection expiry or keying-channel

expiry should attempt to negotiate a replacement begin.

Relevant only locally, other end need not agree on it.

Timespec

1d, 2h, 9m, 10s.

Web: Keyring Tries

UCI:

strongswan.@connection[X].keyringtries

Opt: keyringtries

Specifies how many attempts (a positive integer or %forever)

should be made to negotiate a connection, or a replacement for

one, before giving up. The value %forever means 'never give

up'. Relevant only locally, other end need not agree on it.

Main Page

virtual access GW1000M Series - Page 237

Table of Contents

Other manuals for virtual access GW1000M Series