How to configure IPsec VPN on Reyee EG?

1. Configuring the IPsec Server
Choose One-Device > Gateway > Config > VPN >IPsec> IPsec SecurityPolicy.
1.1 Basic Settings
Click Add.In the dialog box that appears, set PolicyType to Server, enter the policyname and local subnet range, set the pre-shared key, and click OK.


Table 1-1 IPsec server basic settings

Parameter	Description
Policy  Name	Specify  the name of the IPsec security policy. The name must be a string of 1 to 28  characters.
Internet	Format of the  IP address. Both IPv4 and IPv6 address formats are supported.
Interface	Select  a local WAN port from the drop-down list box. The Peer Gateway parameter set for the communication peer (IPsec  client) must use the IP address of the WAN port specified here.    In  the multi-line scenario, you are advised to set this parameter to Auto.
Key Exchange Version	Select the IKE version for SA negotiation.  There are two options available:   > IKEv1: The negotiation of SA in  IKEv1 primarily consists of two phases.   ○ Phase  1: The purpose is to establish an IKE SA using one of two negotiation modes:  Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (Internet  Security Association and Key Management Protocol) messages to complete the  negotiation, while Aggressive Mode only requires three ISAKMP messages.  Aggressive Mode offers faster IKE SA establishment. However, it combines key  exchange and identity authentication, which means it does not provide  identity protection.   ○ Phase  2: The purpose is to establish an IPsec SA for data transmission, utilizing a  fast exchange mode that requires only three ISAKMP messages to complete the  negotiation. > IKEv2: In IKEv2, the  negotiation process for SA is simplified. The establishment of one IKE SA and  one pair of IPsec SAs can be accomplished using two exchanges with four  messages. If there is a need to establish more than one pair of IPsec SAs,  only one additional exchange is needed for each pair. This enables the  negotiation to be completed with just two messages per pair.
Subnets	Specify  the local subnet address range for the data flows to be protected, that is,  the LAN port network segment of the server. The value is the combination of  IP address and subnet mask.
Pre-shared  Key	Specify  the same pre-shared key as the credential for authentication between  communicating parties. For higher security, different peers must be  configured with different pre-shared keys. That is, a pair of interface bound  to the IPsec server and peer gateway of the IPsec client must be configured  with the same unique pre-shared key.
Status	Specify  whether to enable the security policy.

1. 2. Advanced Settings (Phase 1)

• The key exchange version in the basic setting is IKEv1:
  

    Click 1.Set IKE Policy to expand the configuration items. Keep the default settingsunless otherwise specified.

• The key exchange version in the basic setting is IKEv2:
  

   Click IKE Policy to expand the configuration items. Keep the default settings unlessotherwise specified.

Table 1-2 IPsec server IKE policy configuration

Parameter	Description
IKE  Policy	Select  the hash algorithm, encryption algorithm, and Diffie-Hellman (DH) group ID  used by the IKE protocol. An IKE policy is composed of the three parameters.  You can set five sets of IKE policies. To ensure successful IKE negotiation,  the two parties engaged in IKE negotiation must have at least one set of  consistent IKE policy.    >Hash algorithm:   ○ sha1: SHA-1 algorithm   ○ md5:  MD5 algorithm   >Encryption algorithm:   ○ des: DES algorithm  using 56-bit keys   ○ 3des: 3DES algorithm  using 168-bit keys   ○ aes-128:  AES algorithm using 128-bit keys   ○ aes-192:  AES algorithm using 192-bit keys   ○ aes-256:  AES algorithm using 256-bit keys   >DH group ID:   ○ dh1:  768-bit DH group   ○ dh2:  1024-bit DH group   ○ dh5:  1536-bit DH group
Negotiation  Mode	Select  Main Mode or Aggressive Mode. The negotiation mode on the IPsec server and  IPsec client must be the same. >Main  Mode: Generally, this mode is applicable to communication between fixed  public network IP addresses and point-to-point communication between devices.  In this mode, the peer identity is authenticated to provide high security.   >Aggressive  Mode: The public network IP addresses obtained by ADSL dial-up users are  not fixed and an NAT device may exist. Therefore, the aggressive mode is used  to implement NAT traversal. In this mode, you need to set the local and peer  ID type to NAME as the IP address is not fixed. The aggressive mode  does not authenticate the peer identity, so it has low security.
Local/Peer  ID Type	Specify  the ID type of the local or peer device. The local ID type of the peer device  must be the same as the peer ID type of the local device.    >IP: The IP address is used as the identity  ID. The IDs of the local and peer devices are generated automatically.   >NAME: The host character string is used as  the identity ID. The IDs of the local and peer devices are generated  automatically. When the IP address is not fixed, you need to set Local ID  Type to NAME and modify the peer device settings accordingly. In  this case, you also need to configure the host character string that is used  as the identity ID.
Local/Peer  ID	When  the local or peer ID type is set to NAME,  you also need to host character string that is used as the identity ID. The  local ID of the peer device must be the same as peer ID of the local device.
Lifetime	Specify  the lifetime of the IKE SA. (The negotiated IKE SA lifetime prevails.) You  are advised to use the default value.
DPD	Specify  whether to enable Dead Peer Detection (DPD) to detect the IPsec neighbor  status. After DPD is enabled, if the receiver does not receive IPsec  encrypted packets from the peer within the DPD detection interval, DPD query  will be triggered and the receiver actively sends a request packet to detect  whether the IKE peer exists.   You  are advised to configure DPD when links are unstable.
DPD  Interval	Specify  the DPD detection interval. That is, the interval for triggering DPD query.  You are advised to keep the default setting.

1. 3  Advanced Settings (Phase 2)
Click Connection Policy to expand the configuration items. Keep the defaultsettings unless otherwise specified.

Table 1-3 IPsec server connection policy configuration

Parameter	Description
Transform  Set	Specify  the set of security protocol and algorithms. During IPsec SA negotiation, the  two parties use the same transform set to protect specific data flow. The  transform set on the IPsec server and IPsec client must be the same.    >Security protocol: The Encapsulating Security Payload (ESP)  protocol provides data source authentication, data integrity check, and  anti-replay functions for IPsec connections and guarantees data confidentiality.   >Verification algorithm:   ○sha1: SHA-1 HMAC   ○md5: MD5 HMAC   >Encryption algorithm:   ○des: DES algorithm using 56-bit keys   ○3des: 3DES algorithm using 168-bit keys   ○aes-128: AES algorithm using 128-bit keys   ○aes-192: AES algorithm using 192-bit keys   ○aes-256: AES algorithm using 256-bit keys
Perfect  Forward Secrecy	Perfect  Forward Secrecy (PFS) is a security feature that can guarantee the security  of other keys when one key is cracked, because there is no derivative  relationship among the keys. After PFS is enabled, temporary private key  exchange is performed when an IKE negotiation is initiated using a security  policy. If PFS is configured on the local device, it must also be configured  on the peer device that initiates negotiation and the DH group specified on  the local and peer devices must be the same. Otherwise, negotiation will  fail.   none: Disable PFS. >d1: 768-bit DH group >d2: 1024-bit DH group >d5: 1536-bit DH group   By default,  PFS is disabled.
Lifetime	Indicates the  duration of an IPSec tunnel, which defines the time for data transmission  over the IPSec tunnel.

1.4 Configuring the IPsec Client
Choose One-Device > Gateway > Config > VPN > IPsec> IPsec Security Policy.
Click Add.In the dialog box that appears, set PolicyType to Client, enter the policyname, peer gateway, local subnet range, and peer subnet range, set thepre-shared key, and click OK.


Table 1-4 IPsec client basic settings

Parameter	Description
Policy  Name	Specify  the name of the IPsec security policy. The name must be a string of 1 to 28 characters.
Internet	Format of the  IP address. Both IPv4 and IPv6 address formats are supported.
Peer  Gateway	Enter  the IP address or domain name of the peer device.
Interface	Select  a WAN port used locally from the drop-down list box. In the multi-line scenario,  you are advised to set this parameter to Auto.
Key Exchange Version	Select the IKE version for SA negotiation.  There are two options available: >IKEv1: The negotiation of SA in  IKEv1 primarily consists of two phases.   ○Phase 1: The purpose is to establish an IKE SA using one of two negotiation modes:  Main Mode and Aggressive Mode. Main Mode requires six ISAKMP (Internet  Security Association and Key Management Protocol) messages to complete the  negotiation, while Aggressive Mode only requires three ISAKMP messages.  Aggressive Mode offers faster IKE SA establishment. However, it combines key  exchange and identity authentication, which means it does not provide  identity protection.   ○Phase 2: The purpose is to establish an IPsec SA for data transmission, utilizing a  fast exchange mode that requires only three ISAKMP messages to complete the  negotiation.   >IKEv2: In IKEv2, the negotiation process for SA is simplified. The  establishment of one IKE SA and one pair of IPsec SAs can be accomplished  using two exchanges with four messages. If there is a need to establish more  than one pair of IPsec SAs, only one additional exchange is needed for each  pair. This enables the negotiation to be completed with just two messages per  pair.
Local  Subnets	Specify  the local subnet address range for the data flows to be protected, that is,  the LAN port network segment of the server. The value is the combination of  IP address and subnet mask.
Peer  Subnets	Specify  the peer subnet address range for the data flows to be protected, that is,  the LAN port network segment of the client. The value is the combination of  IP address and subnet mask.
Pre-shared  Key	Configure  the pre-shared key the same as that on the IPsec server.
Status	Specify  whether to enable the security policy.

1.5. Viewing the IPsec Connection Status
Choose One-Device > Gateway > Config > VPN > IPsec >IPsec Connection Status.
You can view the IPsec tunnel connectionstatus on the current page.

Table 1-5 IPsec tunnel connection status information

Parameter	Description
Name	Indicate  the security policy name on the IPsec server or client.
SPI	Indicate  the Security Parameter Index (SPI) of the IPsec connection, used to associate  the received IPsec data packets with the corresponding SA. The SPI of each  IPsec connection must be unique.
Direction	Indicate  the direction of the IPsec connection. The value in indicates inbound, and the value out indicates outbound.
Tunnel  Client	Indicate  the gateway addresses on two ends of the IPsec connection. The arrow  indicates the direction of data flows to be protected by the current tunnel.
Flow	Indicate  the subnet range on two ends of the IPsec connection. The arrow indicates the  direction of data flows to be protected by the current tunnel.
Status	Indicate  the IPsec tunnel connection status.
Security  Protocol	Indicate  the security protocol used by the IPsec connection.
Algorithm	Indicate  the encryption algorithm and authentication algorithm used by the IPsec  connection.