SpeedTouchTM608WL and SpeedTouchTM620 only SpeedTouchTM608(WL)/620
Table Of Contents
- Contents
- About this IPSec Configuration Guide
- 1 IPSec: Concept for secure IP connections
- 2 SpeedTouch™ IPSec terminology
- 3 Configuration via Local Pages
- Prerequisites
- IPSec Web Pages
- VPN Menu
- In this section
- 3.1 LAN to LAN Application
- Reference network
- Selecting the LAN to LAN application
- Outline of a configuration procedure
- 3.1.1 Remote Gateway Address Known Page
- VPN context
- Initial page
- Buttons
- Remote Gateway
- Miscellaneous
- IKE Security Descriptors
- Page layout with additional Descriptors
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Example of a completed page
- Buttons
- 3.1.2 Remote Gateway Address Unknown Page
- VPN context
- Example
- Aggressive Mode initial page
- Aggressive Mode versus Main Mode
- Buttons
- Miscellaneous
- IKE Security Descriptors
- Page layout with additional Descriptors
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Main Mode initial page
- Buttons
- IKE Security Descriptors
- Page layout with additional Descriptors
- Miscellaneous
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Main mode expanded page
- Identification & Interface
- Example of a completed page
- Buttons
- 3.1.3 Connections Page
- 3.2 VPN Client
- VPN context
- Advantages of the SpeedTouch™ VPN Client
- Selecting the VPN Client application
- Outline of a VPN Client configuration procedure
- 3.2.1 VPN Client Page
- Initial page
- Buttons
- Server IP Address or FQDN
- Backup Server IP Address or FQDN
- IKE Security Descriptor
- IPSec Security Descriptor
- Exchange Mode
- Server Vendor
- Primary Untrusted Physical Interface
- Virtual IP mapping
- Optional Remote network
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Starting and stopping a VPN client connection
- Page layout for Automatic Start
- Local LAN IP Range
- Set of Server Vendor specific parameters
- Configuring XAuth
- 3.2.2 Starting the VPN Client Connection
- 3.2.3 Closing a Connection
- 3.3 VPN Server
- VPN context
- Selecting the VPN Server application
- Outline of a VPN server configuration procedure
- 3.3.1 VPN Server Page
- Initial page
- Buttons
- Local Trusted Network
- Page layout with additional Networks
- IKE Security Descriptor
- Page layout with additional Descriptors
- IPSec Security Descriptor
- Page layout with additional Descriptors
- Miscellaneous
- VPN Server settings
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Authorized Users List
- 3.4 Certificates
- 3.5 Advanced VPN Menu
- When to use
- Peer Profiles page
- Connection Profiles page
- 3.5.1 Peer Profiles Page
- 3.5.2 Authentication Page
- 3.5.3 Peer Descriptors Page
- 3.5.4 Peer Options Page
- 3.5.5 VPN-Client Page
- 3.5.6 VPN-Server Page
- 3.5.7 VPN-Server-XAuth Page
- 3.5.8 Connection Profiles Page
- 3.5.9 Networks Page
- 3.5.10 Connection Descriptors Page
- 3.5.11 Connection Options Page
- 3.5.12 Client Page
- 4 Configuration via the Command Line Interface
- In this chapter
- Reference network
- 4.1 Basic IPSec configuration procedure
- 4.2 Peer: Authentication Attribute
- 4.3 Peer Security Descriptor
- 4.4 Peer
- What is ...
- How is it used
- In this section
- 4.4.1 Peer parameters
- Parameters table
- Peer name [name]
- Remote Security Gateway identifier [remoteaddr]
- Backup remote Security Gateway Identifier [backupaddr]
- Exchange mode [exchmode]
- Local Identifier [localid]
- Remote Identifier [remoteid]
- Physical Interface [phyif]
- Peer descriptor [descr]
- Authentication Attribute [auth]
- client/server
- options
- 4.4.2 List all peer entities
- 4.4.3 Create a new peer entity
- 4.4.4 Set or modify the peer parameters
- 4.4.5 Delete a Peer entity
- 4.5 Connection Security Descriptor
- 4.6 Network Descriptor
- 4.7 Connection
- 4.8 Auxiliary Commands
- 4.9 Organisation of the IPSec Command Group
- 5 Troubleshooting SpeedTouch™ IPSec
- 6 Advanced Features
- In this section
- 6.1 IPSec and the Stateful Inspection Firewall
- 6.2 Surfing through the VPN tunnel
- 6.3 Extended Authentication (XAuth)
- 6.4 VPN Client
- 6.5 VPN Server
- 6.6 XAuth Users Pool
- Introduction
- 6.6.1 XAuth Pool parameters
- 6.6.2 Create a new XAuth pool
- 6.6.3 Modify the xauthpool type
- 6.6.4 Attach the xauthpool entity to the vpnserver entity
- 6.6.5 Delete an xauthpool entity
- 6.6.6 XAuth User parameters
- 6.6.7 Create a new XAuth user
- 6.6.8 Set or modify the password of an XAuth user
- 6.6.9 Delete an xauthuser entity
- 6.7 The Default Peer Concept
- 6.8 One Peer - Multiple Connections
- 6.9 Peer Options
- 6.10 Connection Options
- 6.11 Advanced Connection
- Need more help?
Chapter 4
Configuration via the Command Line Interface
E-DOC-CTC-20051017-0169 v0.1
122
Physical Interface [phyif] You can tie the peer to one of your SpeedTouch™ interfaces. This interface is then
used as the primary carrier for your VPN connection. In general, the primary
untrusted interface is your DSL connection to the public Internet. On the DSL line,
various logical connections can be defined, eventually using different protocol
stacks (IpoA, PPPoE, PPPoA,…). The peer entity has to be tied to the correct IP
connection.
In the SpeedTouch™ the routing engine determines which interface is used for the
VPN connection (your DSL connection to the Internet in most cases). So, what is the
relevance to select a physical interface?
First of all, for incoming VPN connections where your SpeedTouch™ is the
responder in the IKE negotiations, the interface is part of the matching process for
accepting the connection. Selecting the default value any has the effect of removing
this matching criterion. If you select a specific interface as Primary Untrusted
Physical Interface, then a new incoming VPN connection on a backup interface is
not accepted.
Secondly, if your SpeedTouch™ is equipped with a backup physical interface, for
example an ISDN backup interface, then this field determines the preferred
interface for your VPN connection. This interface is used whenever it is available.
When this interface fails, the active VPN connections are re-routed via the backup
interface. When the primary interface becomes available again, the VPN
connections are re-routed to the primary interface. On the other hand, when you
select any as the Primary Untrusted Physical Interface and this interface fails, the
active VPN connections are also re-routed to the backup interface. But when the
DSL connection becomes available again, the VPN connections are not re-routed as
long as the backup connection is available.
Peer descriptor [descr] This parameter refers to the symbolic name of the Peer Security Descriptor to be
used for the IKE negotiation. Pre-defined as well as user-defined peer descriptors
can be referred to.
Authentication Attribute
[auth]
This parameter refers to the symbolic name of the applicable Authentication
Attribute. Either pre-shared key or certificates can be used for authentication. For
pre-shared key authentication, the pre-shared key value is part of this parameter. In
this document only pre-shared key authentication is considered.
client/server This optional parameter refers to a dialup VPN client/server descriptor. Client/server
connections are handled in chapter 6 as an advanced configuration.
options This parameter refers to the symbolic name of an option list. This option list
contains a number of options that modify the VPN behaviour. The options are
handled in chapter 6, discussing the advanced features. For a basic IPSec
configuration, no option list is selected.
The IPSec peer can also be tied to the LAN interface (eth0). This could be
useful to set up a secure connection with a local host within the local LAN
for testing purposes, or when a redundant gateway to the public Internet,
other than the SpeedTouch™, is present in the LAN.