_______________________________________________________________________________________________________
_______________________________________________________________________________________________________
© Virtual Access 2018
GW2020 Series User Manual
Issue: 2.1
Page 303 of 423
Web Field/UCI/Package Option
Description
Web: Enable strongswan
UCI: strongswan.general.enable
Opt: enabled
Enables or disables IPSec.
0
Disabled.
1
Enabled.
Web: Strict CRL Policy
UCI: strongswan.general.strictcrlpolicy
Opt: strictcrlpolicy
Defines if a fresh CRL must be available for the peer
authentication based on RSA signatures to succeed.
0
Disabled.
1
Enabled.
ifuri
The IKEv2 application additionally recognizes the
“ifuri” option which reverts to ‘yes’ if at least one
CRL URI is defined and to ‘no’ if no URI is known.
Web: Unique IDs
UCI: strongswan.general.uniqueids
Opt: uniqueids
Defines whether a particular participant ID should be kept
unique, with any new (automatically keyed) connection using an
ID from a different IP address deemed to replace all old ones
using that ID.
Participant IDs normally are unique, so a new (automatically-
keyed) connection using the same ID is almost invariably
intended to replace an old one.
0
Disabled.
1
Enabled.
replace
Identical to Yes
keep
Rejects new IKE SA and keep the duplicate
established earlier
Web: Cache CRLs
UCI: strongswan.general.cachecrls
Opt: cachecrls
Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP will
be cached in /etc/ipsec.d/crls/ under a unique file name derived
from the certification authority's public key.
0
Disabled.
1
Enabled.
Web: Debug
UCI: strongswan.general.debug
Opt: debug
Enable debugging. This option is used for trouble shooting issues.
It is not suitable for a production environment.
None
Debug disabled.
Control
Debug enabled. Shows generic control flow with
errors and very basic auditing logs.
All
Debug enabled. Most verbose logging also
includes sensitive information such as keys.
Table 97: Information table for IPSec common settings
29.4.2
Configure connection settings
Scroll down to view the connection settings section.
If you want to create a DMVPN, you do not need to configure all settings as the DMVPN
will automatically create them using the template. Leave the following sections blank:
•
Remote GW Address
•
Local ID
•
Remote Id
•
Local LAN IP Address
•
Local LAN IP Address Mask
•
Remote LAN IP Address
•
Remote LAN IP Address Mask