Confi gure > ipsec > ipsec eroutes > eroute n 4.50 – Westermo MR Series User Manual

155

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > IPSec > IPSec Eroutes > Eroute n

4.50

Once the IKE parameters have been set-up, the next stage is to define the characteristics of the
encrypted routes, or tunnels (“eroutes”). This includes items such as what source/destination
addresses will be connected by the tunnel and what type of encryption/authentication procedures
will be applied to the packets traversing it. For obvious reasons it is essential that parameters such
as encryption and authentication are the same at each end of the tunnel. If they are not, then the
two sys tems will not be able to agree on what set of rules or “policy” to adopt for the encrypted
route and com munication cannot take place.

Using the Web Page(s)

The Configure > IPSec > Eroutes page contains a number of sub-pages for Eroutes 0-9, 10-19, etc.

Note:

The number of Eroutes available depends on how many licenses you have purchased. Eroute
licenses may be purchased in groups of 10 up to a maximum of 30).

The parameters listed on each Eroute page are as follows:

Description:

This parameter allows you to enter a name for this Eroute instance, to make it easier to identify.

Peer IP/hostname:

This is the IP address of the remote unit to which you wish to connect.

Backup peer IP:

This is the IP address of a backup peer. If the router cannot open a socket connection to the
main peer this IP address will be used. Please note: The backup peer device must have an identi-
cal eroute configuration to the primary peer.

Peer ID:

In Main mode (i.e. when Aggressive mode is “Off”) this must be the IP address of the peer.
When Aggressive mode is “On”, this parameter is a string of up to 20 characters that is used in
to identify the remote system and should contain the same text as the Our ID parameter in the
corresponding remote unit’s Eroute configuration.

Our ID:

When Aggressive mode is “On”, this parameter is a string of up to 20 characters sent to the
remote system to identify the initiator. The variable %s can be used in this field, this will send
the unit serial number and may be prefixed with SN for example. When certificates are used
this field should contain the “Altname” field in a valid certificate held on the unit.

XAUTH ID:

This is the Extended Authentication ID for use with MODECFG.

RSA private key file:

This field is used to override the private key filename configured in IKE. It is only used when
certificates are being used for the authentication stage of the IKE negotiation.

Send our ID as FQDN:

When set to “Yes”, this parameter indicates to the remote peer that the ID is in Fully Qualified
Domain Name format, e.g. “vpnclient1.anycompany.com”. When set to “No”, the ID is indicated
as being of simple Key ID type e.g. “vpnclient1”. The default is “No” and it should only be neces-
sary to select “Yes” where interoperability problems are encountered with other manufacturer’s
VPN equipment.