beautypg.com

Perle Systems IOLAN CSS User Manual

Page 117

background image

Network Commands 113

IPsec Commands

Options

authentication-method

Specify the authentication method that will be used between VPN peers to authenticate
the VPN tunnel.

Data Options:

z

Shared Secret—A text-based secret that is used to authenticate the IPsec tunnel
(case sensitive).

z

RSA Signature—RSA signatures are used to authenticate the IPsec tunnel. When
using this authentication method, you must download the IPsec RSA public key to
the IOLAN and upload the IPsec RSA public key from the IOLAN to the VPN
gateway.

z

X.509 Certificate—X.509 certificates are used to authenticate the IPsec tunnel.
When using this authentication method, you must include the signing authority’s
certificate information in the SSL/TLS CA list and download it to the IOLAN.

The default is shared secret.

boot-action

Determines the state of the VPN network when the IOLAN is booted.

z

Start—Starts the VPN network, initiating communication to the remote VPN.

z

Add—Adds the VPN network, but doesn’t initiate a connection to the remote VPN.

z

Ignore—Maintains the VPN network configuration, but the VPN network is not
started and cannot be started through the IPsec command option.

When defining peer VPN gateways, one side should be defined as

Start

(initiate) and

the other as

Add

(listen). It is invalid to define both gateways as

Add

. VPN connection

time can take longer when both gateways are set to

Start

, as both sides will attempt to

initiate the same VPN connection.

The default is start.

local-device

When the VPN tunnel is established, one side of the tunnel is designated as Right and
the other as Left. You are configuring the IOLAN-side of the VPN tunnel. The default
is left.

local-external-ip-address

When

NAT Traversal (NAT_T)

is enabled, this is IOLAN’s external IPv4 or IPv6

address or FQDN. When the IOLAN is behind a NAT router, this will be its public IP
address.

local-host-nextwork

The IPv4 or IPv6 address of a specific host, or the network address that the IOLAN will
provide a VPN connection to.

local-ip-address

The IPv4 or IPv6 address or FQDN of the IOLAN. You can specify

%defaultroute

when the IP address of the IOLAN is not always known (for example, when it gets its
IP address from DHCP). When

%defaultroute

is used, a default gateway must be

configured in the route table.

local-next-hop

The IPv4 or IPv6 address of the router/gateway that will forward data packets to the
remote VPN (if required). The router/gateway must reside on the same subnet at the
IOLAN. Leave this parameter blank if you want to use the

Default Gateway

configured

in the IOLAN.