User Documentation
Version 1.2 / August 2020 Page 54 / 102
Enable NAT traversal
NAT traversal is required when a router between the local and re-
mote side does Network Address Translation (NAT)
Note: IPsec pass through will break NAT traversal! If your router
supports it, you must disable IPsec pass through!
Limit MTU
NAT traversal requires encapsulation of IP packets which possibly
increases fragmentation leading to less network performance. If this
happens it may help to slightly reduce the size of outgoing packets
(MTU).
Enable PFS
With Perfect Forward Security (PFS) a session key (signed by the
private key) is used to encrypt the data instead of the private key it-
self. This session key will be renewed after relatively short time.
Thus, even if the private key (certificate) gets compromised previ-
ous communication cannot be decrypted by someone else since the
temporary session keys cannot be restored. Therefore, PFS further
increased security.
Enable aggressive
mode
Enables IPsec aggressive mode
Uplink interface
The uplink interface on which the IPsec tunnel is supposed to be
established.
Local next hop
To reach the remote site, it may be possible that IPsec needs to ex-
plicitly know the IP address or hostname of the next router. For ex-
ample, this can be the router that connects you LAN with the inter-
net.
Use default route
Use the default gateway (either set manually or by a DSL connec-
tion) as next hop.
Local Subnet
This is the local subnet which its traffic to the remote subnet is sup-
posed to be encrypted when going out via the given interface. The
subnet must be defined as IP/Network mask, e.g. 192.168.0.0/24. If
no subnet is given, the IP address of the interface itself is used.
Note: The local and remote subnet must not be equal!
Note: Routed traffic is not generally encrypted! Only traffic between
exactly the local and the remote network gets encrypted! For in-
stance, if you use two Weidmüller Security Routers and leave both
subnets empty the IPsec tunnel will be stablished between two rout-
ers. Then only traffic originated from one router destined to the
other router is encrypted. The traffic that is routed via both devices
from networks behind them is not encrypted at all.
Authentication method
Either use a pre-shared key (PSK) or a certificate for authentication.
Using certificates is recommended since it is much more secure
than using PSKs.
PSK
This is the pre-shared key (must be equal on both sides)
Note: Do not use simple words or phrases! A PSK should be a ran-
dom sequence of 48 characters in base64 format.
Certificate
This certificate is sent to the remote peer to authenticate on site.
New certificates can be uploaded in Configuration → General set-
ting → Certificates
Send certificates
For security reasons certificates are usually only send on demand.
However, this breaks compatibility with some vendors, such as
Cisco and Safenet. Set this option to always in this case.