Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

How to configure IPsec VPN on Reyee EG? Reply

GTAC-Sophia

Level 5

Ruijie Staff

How to configure IPsec VPN on Reyee EG?
2310 0 2024-4-7 16:41:53
Original
1. Configuring the IPsec Server
Choose One-Device > Gateway > Config > VPN >IPsec> IPsec SecurityPolicy.
1.1 Basic Settings
Click Add.In the dialog box that appears, set PolicyType to Server, enter the policyname and local subnet range, set the pre-shared key, and click OK.


Table 1-1 IPsec server basic settings
   Parameter
   
   Description
   
  Policy  Name
  
  Specify  the name of the IPsec security policy. The name must be a string of 1 to 28  characters.
  
  Internet    Format of the  IP address. Both IPv4 and IPv6 address formats are supported.  
  Interface
  
  Select  a local WAN port from the drop-down list box. The Peer Gateway parameter set for the communication peer (IPsec  client) must use the IP address of the WAN port specified here.
  
In  the multi-line scenario, you are advised to set this parameter to Auto.
  
  Key Exchange Version    Select the IKE version for SA negotiation.  There are two options available:  
> IKEv1: The negotiation of SA in  IKEv1 primarily consists of two phases.  


Phase  1: The purpose is to establish an IKE SA using one of two negotiation modes:  Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (Internet  Security Association and Key Management Protocol) messages to complete the  negotiation, while Aggressive Mode only requires three ISAKMP messages.  Aggressive Mode offers faster IKE SA establishment. However, it combines key  exchange and identity authentication, which means it does not provide  identity protection.  


Phase  2: The purpose is to establish an IPsec SA for data transmission, utilizing a  fast exchange mode that requires only three ISAKMP messages to complete the  negotiation.
>
IKEv2: In IKEv2, the  negotiation process for SA is simplified. The establishment of one IKE SA and  one pair of IPsec SAs can be accomplished using two exchanges with four  messages. If there is a need to establish more than one pair of IPsec SAs,  only one additional exchange is needed for each pair. This enables the  negotiation to be completed with just two messages per pair.  
  Subnets
  
  Specify  the local subnet address range for the data flows to be protected, that is,  the LAN port network segment of the server. The value is the combination of  IP address and subnet mask.
  
  Pre-shared  Key
  
  Specify  the same pre-shared key as the credential for authentication between  communicating parties. For higher security, different peers must be  configured with different pre-shared keys. That is, a pair of interface bound  to the IPsec server and peer gateway of the IPsec client must be configured  with the same unique pre-shared key.
  
  Status
  
  Specify  whether to enable the security policy.
  
1. 2. Advanced Settings (Phase 1)
  • The key exchange version in the basic setting is IKEv1:
    Click 1.Set IKE Policy to expand the configuration items. Keep the default settingsunless otherwise specified.

  • The key exchange version in the basic setting is IKEv2:
   Click IKE Policy to expand the configuration items. Keep the default settings unlessotherwise specified.

Table 1-2 IPsec server IKE policy configuration
   Parameter
   
   Description
   
  IKE  Policy
  
  Select  the hash algorithm, encryption algorithm, and Diffie-Hellman (DH) group ID  used by the IKE protocol. An IKE policy is composed of the three parameters.  You can set five sets of IKE policies. To ensure successful IKE negotiation,  the two parties engaged in IKE negotiation must have at least one set of  consistent IKE policy.
  
>Hash algorithm:
  
sha1: SHA-1 algorithm  

md5:  MD5 algorithm  
>Encryption algorithm:  

des: DES algorithm  using 56-bit keys
  
3des: 3DES algorithm  using 168-bit keys  

aes-128:  AES algorithm using 128-bit keys
  
aes-192:  AES algorithm using 192-bit keys  

aes-256:  AES algorithm using 256-bit keys  
>DH group ID:  

dh1:  768-bit DH group  

dh2:  1024-bit DH group  

dh5:  1536-bit DH group  
  Negotiation  Mode
  
  Select  Main Mode or Aggressive Mode. The negotiation mode on the IPsec server and  IPsec client must be the same.

>Main  Mode: Generally, this mode is applicable to communication between fixed  public network IP addresses and point-to-point communication between devices.  In this mode, the peer identity is authenticated to provide high security.  
>Aggressive  Mode: The public network IP addresses obtained by ADSL dial-up users are  not fixed and an NAT device may exist. Therefore, the aggressive mode is used  to implement NAT traversal. In this mode, you need to set the local and peer  ID type to NAME as the IP address is not fixed. The aggressive mode  does not authenticate the peer identity, so it has low security.  
  Local/Peer  ID Type
  
  Specify  the ID type of the local or peer device. The local ID type of the peer device  must be the same as the peer ID type of the local device.
  
>IP: The IP address is used as the identity  ID. The IDs of the local and peer devices are generated automatically.  
>NAME: The host character string is used as  the identity ID. The IDs of the local and peer devices are generated  automatically. When the IP address is not fixed, you need to set Local ID  Type to NAME and modify the peer device settings accordingly. In  this case, you also need to configure the host character string that is used  as the identity ID.  
  Local/Peer  ID
  
When  the local or peer ID type is set to NAME,  you also need to host character string that is used as the identity ID. The  local ID of the peer device must be the same as peer ID of the local device.
  
  Lifetime
  
Specify  the lifetime of the IKE SA. (The negotiated IKE SA lifetime prevails.) You  are advised to use the default value.
  
  DPD
  
Specify  whether to enable Dead Peer Detection (DPD) to detect the IPsec neighbor  status. After DPD is enabled, if the receiver does not receive IPsec  encrypted packets from the peer within the DPD detection interval, DPD query  will be triggered and the receiver actively sends a request packet to detect  whether the IKE peer exists.
  You  are advised to configure DPD when links are unstable.
  
  DPD  Interval
  
Specify  the DPD detection interval. That is, the interval for triggering DPD query.  You are advised to keep the default setting.
  
1. 3  Advanced Settings (Phase 2)
Click Connection Policy to expand the configuration items. Keep the defaultsettings unless otherwise specified.

Table 1-3 IPsec server connection policy configuration
   Parameter
   
   Description
   
  Transform  Set
  
  Specify  the set of security protocol and algorithms. During IPsec SA negotiation, the  two parties use the same transform set to protect specific data flow. The  transform set on the IPsec server and IPsec client must be the same.
  
>Security protocol: The Encapsulating Security Payload (ESP)  protocol provides data source authentication, data integrity check, and  anti-replay functions for IPsec connections and guarantees data confidentiality.  
>Verification algorithm:
  sha1: SHA-1 HMAC  
md5: MD5 HMAC  
>Encryption algorithm:  
des: DES algorithm using 56-bit keys  
3des: 3DES algorithm using 168-bit keys  
aes-128: AES algorithm using 128-bit keys  
aes-192: AES algorithm using 192-bit keys  
aes-256: AES algorithm using 256-bit keys  
  Perfect  Forward Secrecy
  
Perfect  Forward Secrecy (PFS) is a security feature that can guarantee the security  of other keys when one key is cracked, because there is no derivative  relationship among the keys. After PFS is enabled, temporary private key  exchange is performed when an IKE negotiation is initiated using a security  policy. If PFS is configured on the local device, it must also be configured  on the peer device that initiates negotiation and the DH group specified on  the local and peer devices must be the same. Otherwise, negotiation will  fail.
  none: Disable PFS.
>d1: 768-bit DH group
>d2: 1024-bit DH group
>d5: 1536-bit DH group  
By default,  PFS is disabled.  
  Lifetime
Indicates the  duration of an IPSec tunnel, which defines the time for data transmission  over the IPSec tunnel.  
1.4 Configuring the IPsec Client
Choose One-Device > Gateway > Config > VPN > IPsec> IPsec Security Policy.
Click Add.In the dialog box that appears, set PolicyType to Client, enter the policyname, peer gateway, local subnet range, and peer subnet range, set thepre-shared key, and click OK.


Table 1-4 IPsec client basic settings
   Parameter
   
   Description
   
  Policy  Name
  
  Specify  the name of the IPsec security policy. The name must be a string of 1 to 28 characters.
  
  Internet    Format of the  IP address. Both IPv4 and IPv6 address formats are supported.  
  Peer  Gateway
  
  Enter  the IP address or domain name of the peer device.
  
  Interface
  
  Select  a WAN port used locally from the drop-down list box. In the multi-line scenario,  you are advised to set this parameter to Auto.
  
  Key Exchange Version    Select the IKE version for SA negotiation.  There are two options available:
>IKEv1: The negotiation of SA in  IKEv1 primarily consists of two phases.  
Phase 1: The purpose is to establish an IKE SA using one of two negotiation modes:  Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (Internet  Security Association and Key Management Protocol) messages to complete the  negotiation, while Aggressive Mode only requires three ISAKMP messages.  Aggressive Mode offers faster IKE SA establishment. However, it combines key  exchange and identity authentication, which means it does not provide  identity protection.  
Phase 2: The purpose is to establish an IPsec SA for data transmission, utilizing a  fast exchange mode that requires only three ISAKMP messages to complete the  negotiation.  
>IKEv2: In IKEv2, the negotiation process for SA is simplified. The  establishment of one IKE SA and one pair of IPsec SAs can be accomplished  using two exchanges with four messages. If there is a need to establish more  than one pair of IPsec SAs, only one additional exchange is needed for each  pair. This enables the negotiation to be completed with just two messages per  pair.  
  Local  Subnets
  
  Specify  the local subnet address range for the data flows to be protected, that is,  the LAN port network segment of the server. The value is the combination of  IP address and subnet mask.
  Peer  Subnets
  
  Specify  the peer subnet address range for the data flows to be protected, that is,  the LAN port network segment of the client. The value is the combination of  IP address and subnet mask.
  Pre-shared  Key
Configure  the pre-shared key the same as that on the IPsec server.
  Status
  Specify  whether to enable the security policy.
1.5. Viewing the IPsec Connection Status
Choose One-Device > Gateway > Config > VPN > IPsec >IPsec Connection Status.
You can view the IPsec tunnel connectionstatus on the current page.

Table 1-5 IPsec tunnel connection status information
   Parameter
   
   Description
   
  Name
  
  Indicate  the security policy name on the IPsec server or client.
  
  SPI
  
  Indicate  the Security Parameter Index (SPI) of the IPsec connection, used to associate  the received IPsec data packets with the corresponding SA. The SPI of each  IPsec connection must be unique.
  
  Direction
  
  Indicate  the direction of the IPsec connection. The value in indicates inbound, and the value out indicates outbound.
  
  Tunnel  Client
  
  Indicate  the gateway addresses on two ends of the IPsec connection. The arrow  indicates the direction of data flows to be protected by the current tunnel.
  
  Flow
  
  Indicate  the subnet range on two ends of the IPsec connection. The arrow indicates the  direction of data flows to be protected by the current tunnel.
  
  Status
  
  Indicate  the IPsec tunnel connection status.
  
  Security  Protocol
  
  Indicate  the security protocol used by the IPsec connection.
  
  Algorithm
  
  Indicate  the encryption algorithm and authentication algorithm used by the IPsec  connection.
  
RG-EG105G V2

Technical Introduction Router
There are no replies.
Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd