Siemens RUGGEDCOM ROX II User Manual page 453

RUGGEDCOM ROX II
CLI User Guide
Section 12.8.1.7
IPsec and Router Interfaces
If IPsec works on an interface which could disappear, such as a PPP connection, or if the IP address could change,
the Monitor Interface option must be set for the IPsec connection. When this option is set, IPsec will restart when
the interface disappears and reappears, or the IP address is changed.
The Monitor Interface option is set on the Connection form available for each connection. For more information
about connections, refer to
Section 12.8.2
Configuring IPsec Tunnels
To configure IPsec tunnels, do the following:
NOTE
RUGGEDCOM ROX II supports the creation of policy-based VPNs, which can be characterized as follows:
• No IPsec network interfaces have been created.
• The routing table is not involved in directing packets to IPsec.
• Only data traffic matching the tunnel's local and remote subnets is forwarded to the tunnel. Normal
traffic is routed by one set of firewall rules and VPN traffic is routed based on separate rules.
• The firewall is configured with a VPN zone of type ipsec.
• As IPsec packets are received, they are decoded, flagged as IPsec-encoded, and presented as having
arrived directly from the same network interface on which they were originally received.
• Firewall rules are written to allow traffic to and from VPN tunnels. These are based on the normal
form of source/destination IP addresses, and IP protocol and port numbers. These rules, by virtue of
the zones they match, use the policy flags inserted by the netkey to route matching data traffic to the
proper interface.
For more information about configuring a policy-based VPN, refer to
1. Make sure the CLI is in Configuration mode.
Navigate to tunnel » ipsec and configure the following parameter(s) as required:
2.
Parameter
enabled
nat-traversal
keep-alive { keep-alive }
3. Configure one or more pre-shared keys. For more information, refer to
Key".
4. Configure one or more encrypted connections. For more information, refer to
Connection".
Type commit and press Enter to save the changes, or type revert and press Enter to abort.
5.
IPsec and Router Interfaces
Section 12.8.6, "Managing
Enables IPsec.
This parameter is not supported and any value is ignored by the system. nat-traversal is
always enabled in the IPSec VPN system.
Synopsis: A 32-bit unsigned integer between 1 and 86400
Default: 20
The delay (in seconds) for sending keepalive packets to prevent a NAT router from
closing its port when there is not enough traffic on the IPsec connection.
Connections".
Description
Section 12.8.5.2, "Adding a Pre-Shared
Tunneling and VPNs
Section 6.9, "Managing
Section 12.8.6.2, "Adding a
Chapter 12
Firewalls".
407