5.4.2.2. Encryption
This functionality requires the
to be installed in both units (available for
all bands except 80 GHz). Once installed, part of the user data traffic (one Ethernet port) can be AES
encrypted to ensure the security of the over the-air communication.
Fig. 5.9: Menu Link settings > Radio > Encryption
IPsec VPN tunnel by Security Association with symmetrical cryptography is used to encrypt the packets
and to ensure keys are safely delivered to the peer and regularly exchanged.
The protocol used for secure key exchange is IKE (Internet Key Exchange) version 2.
Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication. Both
link partners share the same key (password).
The other (non-encrypted) Ethernet port can be used simultaneously with the encrypted port for data
transfer and/or for the unit management. The link capacity in the air is shared by both Ethernet ports.
The encrypted traffic has a higher priority.
Enable
When user data encryption is enabled, the IPsec tunnel is started.
Port
The Encryption service encrypts all the user data traffic originating from one of two Ethernet ports.
Ethernet port Eth1 or Eth2 needs to be selected. It is possible to select different Ethernet ports on
each side of the link (e.g. Eth1 on Local and Eth2 on Peer).
DF Ignore
If the communication over the given Ethernet port is encrypted, the longest packet passing through
without fragmentation are 2048 Bytes long. The longer packets need to be fragmented:
• in the previous network device, or
• the DF (Do-Not-Fragment) bit in the incoming packets must be cleared, or
• the DF Ignore bit needs to be set
Packets longer than 9000 Bytes are discarded.
IPsec Encryption algorithm
IPsec SA encryption algorithm. The stronger the algorithm, the lower the user data throughput.
RAy3 Microwave Link – © RACOM s.r.o.
92
Configuration
Содержание RAy3-11
Страница 2: ......