How to configure IPsec VPN on Reyee EG?
1. Configuring the IPsec ServerChoose One-Device > Gateway > Config > VPN >IPsec> IPsec SecurityPolicy.
1.1 Basic Settings
Click Add.In the dialog box that appears, set PolicyType to Server, enter the policyname and local subnet range, set the pre-shared key, and click OK.
data/attachment/forum/202404/07/162140g3gc7r3qk4ffzk3a.png
data/attachment/forum/202404/07/162229xt7pott7og777t7z.png
Table 1-1 IPsec server basic settings
Parameter
Description
PolicyName
Specifythe name of the IPsec security policy. The name must be a string of 1 to 28characters.
InternetFormat of theIP address. Both IPv4 and IPv6 address formats are supported.
Interface
Selecta local WAN port from the drop-down list box. The Peer Gateway parameter set for the communication peer (IPsecclient) must use the IP address of the WAN port specified here.
Inthe multi-line scenario, you are advised to set this parameter to Auto.
Key Exchange VersionSelect the IKE version for SA negotiation.There are two options available:
> IKEv1: The negotiation of SA inIKEv1 primarily consists of two phases.
○
Phase1: The purpose is to establish an IKE SA using one of two negotiation modes:Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (InternetSecurity Association and Key Management Protocol) messages to complete thenegotiation, while Aggressive Mode only requires three ISAKMP messages.Aggressive Mode offers faster IKE SA establishment. However, it combines keyexchange and identity authentication, which means it does not provideidentity protection.
○
Phase2: The purpose is to establish an IPsec SA for data transmission, utilizing afast exchange mode that requires only three ISAKMP messages to complete thenegotiation.
>
IKEv2: In IKEv2, thenegotiation process for SA is simplified. The establishment of one IKE SA andone pair of IPsec SAs can be accomplished using two exchanges with fourmessages. If there is a need to establish more than one pair of IPsec SAs,only one additional exchange is needed for each pair. This enables thenegotiation to be completed with just two messages per pair.
Subnets
Specifythe local subnet address range for the data flows to be protected, that is,the LAN port network segment of the server. The value is the combination ofIP address and subnet mask.
Pre-sharedKey
Specifythe same pre-shared key as the credential for authentication betweencommunicating parties. For higher security, different peers must beconfigured with different pre-shared keys. That is, a pair of interface boundto the IPsec server and peer gateway of the IPsec client must be configuredwith the same unique pre-shared key.
Status
Specifywhether to enable the security policy.
1. 2. Advanced Settings (Phase 1)
[*]The key exchange version in the basic setting is IKEv1:
Click 1.Set IKE Policy to expand the configuration items. Keep the default settingsunless otherwise specified.
data/attachment/forum/202404/07/162610ikfanwaaoaowj3o9.png
[*]The key exchange version in the basic setting is IKEv2:
Click IKE Policy to expand the configuration items. Keep the default settings unlessotherwise specified.
data/attachment/forum/202404/07/162704b6vpj69tlxtvl9yp.png
Table 1-2 IPsec server IKE policy configuration
Parameter
Description
IKEPolicy
Selectthe hash algorithm, encryption algorithm, and Diffie-Hellman (DH) group IDused by the IKE protocol. An IKE policy is composed of the three parameters.You can set five sets of IKE policies. To ensure successful IKE negotiation,the two parties engaged in IKE negotiation must have at least one set ofconsistent IKE policy.
>Hash algorithm:
○
sha1: SHA-1 algorithm
○
md5:MD5 algorithm
>Encryption algorithm:
○
des: DES algorithmusing 56-bit keys
○
3des: 3DES algorithmusing 168-bit keys
○
aes-128:AES algorithm using 128-bit keys
○
aes-192:AES algorithm using 192-bit keys
○
aes-256:AES algorithm using 256-bit keys
>DH group ID:
○
dh1:768-bit DH group
○
dh2:1024-bit DH group
○
dh5:1536-bit DH group
NegotiationMode
SelectMain Mode or Aggressive Mode. The negotiation mode on the IPsec server andIPsec client must be the same.
>MainMode: Generally, this mode is applicable to communication between fixedpublic network IP addresses and point-to-point communication between devices.In this mode, the peer identity is authenticated to provide high security.
>AggressiveMode: The public network IP addresses obtained by ADSL dial-up users arenot fixed and an NAT device may exist. Therefore, the aggressive mode is usedto implement NAT traversal. In this mode, you need to set the local and peerID type to NAME as the IP address is not fixed. The aggressive modedoes not authenticate the peer identity, so it has low security.
Local/PeerID Type
Specifythe ID type of the local or peer device. The local ID type of the peer devicemust be the same as the peer ID type of the local device.
>IP: The IP address is used as the identityID. The IDs of the local and peer devices are generated automatically.
>NAME: The host character string is used asthe identity ID. The IDs of the local and peer devices are generatedautomatically. When the IP address is not fixed, you need to set Local IDType to NAME and modify the peer device settings accordingly. Inthis case, you also need to configure the host character string that is usedas the identity ID.
Local/PeerID
Whenthe local or peer ID type is set to NAME,you also need to host character string that is used as the identity ID. Thelocal ID of the peer device must be the same as peer ID of the local device.
Lifetime
Specifythe lifetime of the IKE SA. (The negotiated IKE SA lifetime prevails.) Youare advised to use the default value.
DPD
Specifywhether to enable Dead Peer Detection (DPD) to detect the IPsec neighborstatus. After DPD is enabled, if the receiver does not receive IPsecencrypted packets from the peer within the DPD detection interval, DPD querywill be triggered and the receiver actively sends a request packet to detectwhether the IKE peer exists.
Youare advised to configure DPD when links are unstable.
DPDInterval
Specifythe DPD detection interval. That is, the interval for triggering DPD query.You are advised to keep the default setting.
1. 3Advanced Settings (Phase 2)
Click Connection Policy to expand the configuration items. Keep the defaultsettings unless otherwise specified.
data/attachment/forum/202404/07/163236md552vkfy144hwkf.png
Table 1-3 IPsec server connection policy configuration
Parameter
Description
TransformSet
Specifythe set of security protocol and algorithms. During IPsec SA negotiation, thetwo parties use the same transform set to protect specific data flow. Thetransform set on the IPsec server and IPsec client must be the same.
>Security protocol: The Encapsulating Security Payload (ESP)protocol provides data source authentication, data integrity check, andanti-replay functions for IPsec connections and guarantees data confidentiality.
>Verification algorithm:
○sha1: SHA-1 HMAC
○md5: MD5 HMAC
>Encryption algorithm:
○des: DES algorithm using 56-bit keys
○3des: 3DES algorithm using 168-bit keys
○aes-128: AES algorithm using 128-bit keys
○aes-192: AES algorithm using 192-bit keys
○aes-256: AES algorithm using 256-bit keys
PerfectForward Secrecy
PerfectForward Secrecy (PFS) is a security feature that can guarantee the securityof other keys when one key is cracked, because there is no derivativerelationship among the keys. After PFS is enabled, temporary private keyexchange is performed when an IKE negotiation is initiated using a securitypolicy. If PFS is configured on the local device, it must also be configuredon the peer device that initiates negotiation and the DH group specified onthe local and peer devices must be the same. Otherwise, negotiation willfail.
none: Disable PFS.
>d1: 768-bit DH group
>d2: 1024-bit DH group
>d5: 1536-bit DH group
By default,PFS is disabled.
Lifetime
Indicates theduration of an IPSec tunnel, which defines the time for data transmissionover the IPSec tunnel.
1.4 Configuring the IPsec Client
Choose One-Device > Gateway > Config > VPN > IPsec> IPsec Security Policy.
Click Add.In the dialog box that appears, set PolicyType to Client, enter the policyname, peer gateway, local subnet range, and peer subnet range, set thepre-shared key, and click OK.
data/attachment/forum/202404/07/163822zeorfqlfbprfflff.png
data/attachment/forum/202404/07/163829xkhh106ojtb3tlx1.png
Table 1-4 IPsec client basic settings
Parameter
Description
PolicyName
Specifythe name of the IPsec security policy. The name must be a string of 1 to 28 characters.
InternetFormat of theIP address. Both IPv4 and IPv6 address formats are supported.
PeerGateway
Enterthe IP address or domain name of the peer device.
Interface
Selecta WAN port used locally from the drop-down list box. In the multi-line scenario,you are advised to set this parameter to Auto.
Key Exchange VersionSelect the IKE version for SA negotiation.There are two options available:
>IKEv1: The negotiation of SA inIKEv1 primarily consists of two phases.
○Phase 1: The purpose is to establish an IKE SA using one of two negotiation modes:Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (InternetSecurity Association and Key Management Protocol) messages to complete thenegotiation, while Aggressive Mode only requires three ISAKMP messages.Aggressive Mode offers faster IKE SA establishment. However, it combines keyexchange and identity authentication, which means it does not provideidentity protection.
○Phase 2: The purpose is to establish an IPsec SA for data transmission, utilizing afast exchange mode that requires only three ISAKMP messages to complete thenegotiation.
>IKEv2: In IKEv2, the negotiation process for SA is simplified. Theestablishment of one IKE SA and one pair of IPsec SAs can be accomplishedusing two exchanges with four messages. If there is a need to establish morethan one pair of IPsec SAs, only one additional exchange is needed for eachpair. This enables the negotiation to be completed with just two messages perpair.
LocalSubnets
Specifythe local subnet address range for the data flows to be protected, that is,the LAN port network segment of the server. The value is the combination ofIP address and subnet mask.
PeerSubnets
Specifythe peer subnet address range for the data flows to be protected, that is,the LAN port network segment of the client. The value is the combination ofIP address and subnet mask.
Pre-sharedKey
Configurethe pre-shared key the same as that on the IPsec server.
Status
Specifywhether to enable the security policy.
1.5. Viewing the IPsec Connection Status
Choose One-Device > Gateway > Config > VPN > IPsec >IPsec Connection Status.
You can view the IPsec tunnel connectionstatus on the current page.
data/attachment/forum/202404/07/164051wp3sgesz6vvg9vdg.png
Table 1-5 IPsec tunnel connection status information
Parameter
Description
Name
Indicatethe security policy name on the IPsec server or client.
SPI
Indicatethe Security Parameter Index (SPI) of the IPsec connection, used to associatethe received IPsec data packets with the corresponding SA. The SPI of eachIPsec connection must be unique.
Direction
Indicatethe direction of the IPsec connection. The value in indicates inbound, and the value out indicates outbound.
TunnelClient
Indicatethe gateway addresses on two ends of the IPsec connection. The arrowindicates the direction of data flows to be protected by the current tunnel.
Flow
Indicatethe subnet range on two ends of the IPsec connection. The arrow indicates thedirection of data flows to be protected by the current tunnel.
Status
Indicatethe IPsec tunnel connection status.
SecurityProtocol
Indicatethe security protocol used by the IPsec connection.
Algorithm
Indicatethe encryption algorithm and authentication algorithm used by the IPsecconnection.
Pages:
[1]