7: Networking
EMG™ Edge Management Gateway User Guide
116
Note:
To display the routing table, status or specific report, see the section,
Routing Commands
Go to
to view CLI commands which correspond to the web page entries
described above.
VPN Settings
This page can be used to create a Virtual Private Network (VPN) tunnel to the EMG for secure
communication between the EMG unit and a remote host or gateway. The EMG supports IPSec
tunnels using Encapsulated Security Payload (ESP). The EMG unit supports host-to-host, net-to-
net, host-to-net, and roaming user tunnels.
Note:
To allow VPN tunnel access if the EMG firewall is enabled, traffic to UDP ports
500 and 4500 from the remote host should be allowed, as well as protocol ESP from the
remote host.
The EMG provides a strongSwan-based VPN implementation (version 5.6.3). The EMG UI
provides access to a subset of the strongSwan configuration options, and also allows
of a
custom ipsec.conf file, which gives an administrator access to most strongSwan configuration
options. For more information on strongSwan, see
. A list of Internet Key Exchange
cipher suites is
available on the strongSwan Wiki.
is handled automatically without any special
configuration. VPN related routes are installed in a separate table and can be viewed in the
detailed VPN status or in the IP Routes table.
When a tunnel is up, the amount of data passed through the tunnel can be viewed in the status
with the bytes_i (bytes input) and bytes_o (bytes output) counters. An example of the VPN status
is below (the status will vary depending on the authentication, subnets and algorithms used). For
example, the status displays the IP addresses on either side of the tunnel (192.168.1.103 and
220.41.123.45), the type of authentication (pre-shared key authentication), the algorithms in use
(IKEv1 Aggressive and 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024), when the
tunnel will be rekeyed/SA Lifetime (rekeying in 7 hours), the bytes in and out (131 bytes_i (1 pkt,
93s ago), 72 bytes_o (1 pkt, 94s ago)), a dynamic address assigned to the console manager side
of the tunnel (child: dynamic and 172.28.28.188), and the subnets on both sides of the tunnel
(172.28.28.188/32 === 10.3.0.0/24 10.81.101.0/24 10.81.102.0/24 10.81.103.0/24).
Connections:
MyVPNConn: 192.168.1.103...220.41.123.45 IKEv1 Aggressive,
dpddelay=30s
MyVPNConn: local: [vpnid] uses pre-shared key authentication
MyVPNConn: local: [vpnid] uses XAuth authentication: any with XAuth
identity 'gfountain'
MyVPNConn: remote: [220.41.123.45] uses pre-shared key
authentication
MyVPNConn: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
MyVPNConn[1]: ESTABLISHED 26 minutes ago,
192.168.1.103[vpnid]...220.41.123.45[220.41.123.45]
MyVPNConn[1]: IKEv1 SPIs: 62c06b5b5fc3c5de_i* 74300552060118f6_r,
pre-shared key+XAuth reauthentication in 2 hours
Summary of Contents for EMG 7500
Page 100: ...7 Networking EMG Edge Management Gateway User Guide 100 Figure 7 5 Network Wireless Settings ...
Page 353: ...15 Maintenance EMG Edge Management Gateway User Guide 353 Figure 15 12 About EMG ...
Page 474: ...EMG Edge Management Gateway User Guide 474 Figure E 3 EU Declaration of Conformity ...
Page 475: ...EMG Edge Management Gateway User Guide 475 Figure E 4 EU Declaration of Conformity continued ...