SpeedTouchTM608WL and SpeedTouchTM620 only SpeedTouchTM608(WL)/620
Table Of Contents
- Contents
- About this IPSec Configuration Guide
- 1 IPSec: Concept for secure IP connections
- 2 SpeedTouch™ IPSec terminology
- 3 Configuration via Local Pages
- Prerequisites
- IPSec Web Pages
- VPN Menu
- In this section
- 3.1 LAN to LAN Application
- Reference network
- Selecting the LAN to LAN application
- Outline of a configuration procedure
- 3.1.1 Remote Gateway Address Known Page
- VPN context
- Initial page
- Buttons
- Remote Gateway
- Miscellaneous
- IKE Security Descriptors
- Page layout with additional Descriptors
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Example of a completed page
- Buttons
- 3.1.2 Remote Gateway Address Unknown Page
- VPN context
- Example
- Aggressive Mode initial page
- Aggressive Mode versus Main Mode
- Buttons
- Miscellaneous
- IKE Security Descriptors
- Page layout with additional Descriptors
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Main Mode initial page
- Buttons
- IKE Security Descriptors
- Page layout with additional Descriptors
- Miscellaneous
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Main mode expanded page
- Identification & Interface
- Example of a completed page
- Buttons
- 3.1.3 Connections Page
- 3.2 VPN Client
- VPN context
- Advantages of the SpeedTouch™ VPN Client
- Selecting the VPN Client application
- Outline of a VPN Client configuration procedure
- 3.2.1 VPN Client Page
- Initial page
- Buttons
- Server IP Address or FQDN
- Backup Server IP Address or FQDN
- IKE Security Descriptor
- IPSec Security Descriptor
- Exchange Mode
- Server Vendor
- Primary Untrusted Physical Interface
- Virtual IP mapping
- Optional Remote network
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Starting and stopping a VPN client connection
- Page layout for Automatic Start
- Local LAN IP Range
- Set of Server Vendor specific parameters
- Configuring XAuth
- 3.2.2 Starting the VPN Client Connection
- 3.2.3 Closing a Connection
- 3.3 VPN Server
- VPN context
- Selecting the VPN Server application
- Outline of a VPN server configuration procedure
- 3.3.1 VPN Server Page
- Initial page
- Buttons
- Local Trusted Network
- Page layout with additional Networks
- IKE Security Descriptor
- Page layout with additional Descriptors
- IPSec Security Descriptor
- Page layout with additional Descriptors
- Miscellaneous
- VPN Server settings
- Page layout for pre- shared key authentication
- IKE Authentication with Preshared Key
- Page layout for certificate authentication
- IKE Authentication: Certificate parameters
- Authorized Users List
- 3.4 Certificates
- 3.5 Advanced VPN Menu
- When to use
- Peer Profiles page
- Connection Profiles page
- 3.5.1 Peer Profiles Page
- 3.5.2 Authentication Page
- 3.5.3 Peer Descriptors Page
- 3.5.4 Peer Options Page
- 3.5.5 VPN-Client Page
- 3.5.6 VPN-Server Page
- 3.5.7 VPN-Server-XAuth Page
- 3.5.8 Connection Profiles Page
- 3.5.9 Networks Page
- 3.5.10 Connection Descriptors Page
- 3.5.11 Connection Options Page
- 3.5.12 Client Page
- 4 Configuration via the Command Line Interface
- In this chapter
- Reference network
- 4.1 Basic IPSec configuration procedure
- 4.2 Peer: Authentication Attribute
- 4.3 Peer Security Descriptor
- 4.4 Peer
- What is ...
- How is it used
- In this section
- 4.4.1 Peer parameters
- Parameters table
- Peer name [name]
- Remote Security Gateway identifier [remoteaddr]
- Backup remote Security Gateway Identifier [backupaddr]
- Exchange mode [exchmode]
- Local Identifier [localid]
- Remote Identifier [remoteid]
- Physical Interface [phyif]
- Peer descriptor [descr]
- Authentication Attribute [auth]
- client/server
- options
- 4.4.2 List all peer entities
- 4.4.3 Create a new peer entity
- 4.4.4 Set or modify the peer parameters
- 4.4.5 Delete a Peer entity
- 4.5 Connection Security Descriptor
- 4.6 Network Descriptor
- 4.7 Connection
- 4.8 Auxiliary Commands
- 4.9 Organisation of the IPSec Command Group
- 5 Troubleshooting SpeedTouch™ IPSec
- 6 Advanced Features
- In this section
- 6.1 IPSec and the Stateful Inspection Firewall
- 6.2 Surfing through the VPN tunnel
- 6.3 Extended Authentication (XAuth)
- 6.4 VPN Client
- 6.5 VPN Server
- 6.6 XAuth Users Pool
- Introduction
- 6.6.1 XAuth Pool parameters
- 6.6.2 Create a new XAuth pool
- 6.6.3 Modify the xauthpool type
- 6.6.4 Attach the xauthpool entity to the vpnserver entity
- 6.6.5 Delete an xauthpool entity
- 6.6.6 XAuth User parameters
- 6.6.7 Create a new XAuth user
- 6.6.8 Set or modify the password of an XAuth user
- 6.6.9 Delete an xauthuser entity
- 6.7 The Default Peer Concept
- 6.8 One Peer - Multiple Connections
- 6.9 Peer Options
- 6.10 Connection Options
- 6.11 Advanced Connection
- Need more help?
Chapter 3
Configuration via Local Pages
E-DOC-CTC-20051017-0169 v0.1
80
Primary Untrusted
Physical Interface
This field shows a list of your SpeedTouch™ interfaces. You select the preferred
Primary Untrusted Physical Interface. This interface is used as the primary carrier
for your VPN connection. In general, the primary untrusted interface is your DSL
connection to the public Internet. On the DSL line, various logical connections can
be defined, eventually using different protocol stacks (IpoA, PPPoE, PPPoA,…). The
peer entity has to be tied to the correct IP connection.
In the SpeedTouch™ the routing engine determines which interface is used for the
VPN connection (your DSL connection to the Internet in most cases). So, what is the
relevance to select a physical interface?
First of all, for incoming VPN connections where your SpeedTouch™ is the
responder in the IKE negotiations, the interface is part of the matching process for
accepting the connection. Selecting the default value any has the effect of removing
this matching criterion. If you select a specific interface as Primary Untrusted
Physical Interface, then a new incoming VPN connection on a backup interface is
not accepted.
Secondly, if your SpeedTouch™ is equipped with a backup physical interface, for
example an ISDN backup interface, then this field determines the preferred
interface for your VPN connection. This interface is used whenever it is available.
When this interface fails, the active VPN connections are re-routed via the backup
interface. When the primary interface becomes available again, the VPN
connections are re-routed to the primary interface. On the other hand, when you
select any as the Primary Untrusted Physical Interface and this interface fails, the
active VPN connections are also re-routed to the backup interface. But when the
DSL connection becomes available again, the VPN connections are not re-routed as
long as the backup connection is available.
Exchange mode Select the exchange mode used during the Phase 1 negotiation. The SpeedTouch™
supports both main mode and aggressive mode.
Authentication Select from the list the symbolic name of the applicable Authentication Attribute.
Either pre-shared key or certificates can be used for authentication. Authentication
Attributes are defined on the Authentication sub-page. See “3.5.2 Authentication
Page” on page 82.
Peer Descriptor Select from the list the symbolic name of a Peer Security Descriptor to be used for
the IKE negotiation. Up to four Descriptors can be selected in the Profiles page.
These Descriptors are presented as alternative proposals during the IKE
negotiations. Peer Security Descriptors are managed on the Peer Descriptors sub-
page. See “3.5.3 Peer Descriptors Page” on page 83.
Client/Server This optional parameter refers to a dialup VPN Client/Server descriptor. Client/
Server parameters are managed on separate sub-pages. See “3.5.5 VPN-Client
Page” on page 86 for the VPN client configuration. See “3.5.6 VPN-Server Page” on
page 88 for the VPN server configuration.
The IPSec peer can also be tied to the LAN interface (eth0). This could be
useful to set up a secure connection with a local host within the local LAN
for testing purposes, or when a redundant gateway to the public Internet,
other than the SpeedTouch™, is present in the LAN.