Teleorigin RBMTX-Lite, User Manual

Page: 36 / 70

5.2.14 Ipsec static/Ipsec mobile
IPsec is group of internet protocols that enables user to create safe connection between
devices. To configure such connection on RBMTX-Lite modem you need to go through three
tabs of configuration: Tunnels, Mobile Clients, Keys and Certificates. First of all, you need to
enable IPsec under Tunnels tab. Below this option there is a combo box that enables you to
switch between different tunnel configurations. If you want to enable specific tunnel, please
select Enable tunnel checkbox. Then specify network interface on which the connection will
be held. It is impossible to discuss all ways to create IPsec connection, so we have described
sample configuration below.
Let's say we want to connect two RBMTX-Lite modems with following IP numbers:
123.45.67.1, 123.45.67.2. First option, DPD interval is time after which the connection is
closed if the other device is not responding. You can put any value here, we will enter 3600
seconds. Then you have to choose local subnet that will be available on remote side of the
connection. It can be single host, network or LAN subnet. Let's say we will be connecting more
devices later so we choose network. On first modem we enter following settings:
IP=192.168.36.1, Network=192.168.36.0 and Netmask=255.255.255.0. The IP must be set
properly according to the network and netmask. Next step is entering remote subnet. The
local subnet on first device must match remote subnet on the second device and vice versa.
We have specified local subnet on second modem with following settings: IP=192.168.35.1,
Network=192.168.35.0, Netmask=255.255.255.0, so on the first modem we enter following
remote subnet: Address=192.168.35.0, Netmask=255.255.255.0. After specifying local and
remote subnets, you should enter remote gateway which should be other device's IP. In our
case we enter 123.45.67.2 on first modem and 123.45.67.1 on second one.
Afterwards we have to define first phase of the proposal. We choose negotiation mode-
aggressive is les secure, but faster than main. Next setting is device's identifier. The most
common setting is My IP address for PSK authentication and RSA Cert subject for RSA
certificates. Now, please choose encryption, hash algorithm and DH key group-they must be
the same on both sides of connection. Blowfish encryption is usually the fastest and AES is the
slowest but most secure. You can optionally set lifetime of phase 1 or leave the field blank to
use default value. The most important setting of phase 1 is choosing authentication method:
Pre-shared key is like password, you have to enter the same key on both sides. More
sophisticated authentication method is using RSA certificates, but you need to generate
certificate and key for every device. You have two options here: either input other device's
certificate in Peer certificate field or add CA certificate (we will cover that topic later).