beautypg.com

Section 35.1.6.1, Sections 35.1.6.2 – Westermo RedFox Series User Manual

Page 797

background image

Westermo OS Management Guide

Version 4.17.0-0

35.1.6.1

Selecting Aggressive or Main Mode?

An IPsec tunnel must specify whether IKE should operate in main mode or in
aggressive mode (in WeOS v4.17.0 main mode is used by default).

As mentioned in

section 35.1.2

, the IKE main mode with PSK authentication is

limited to IP address as peer identification. This in turn means that IKE aggressive
mode should be used if the initiator’s IP address is not fixed, e.g., if Bob may
change location (road warrior), or if he is using DHCP to acquire his address on
the outbound interface. For a description of establishing the VPN topology in

fig. 35.5

with IKE aggressive mode, see

section 35.1.6.2

.

On the other hand, if Bob has a fixed IP address, the setup in

fig. 35.5

could

be established either with IKE main mode or aggressive mode. Main mode is
somewhat simpler to configure, and is described in

section 35.1.6.3

.

35.1.6.2

Aggressive Mode Configuration

Below you find hints on how to configure the initiator (Bob) and responder (Alice)
in IKE aggressive mode. Note: this is just an example; several alternatives exist.

Many VPN settings can be configured in the same way on the responder (Alice)
and the initiator (Bob):

❼ VPN instance number: This number is of local significance only, i.e., it can

differ on Alice and Bob. In the Web configuration, it is simplest to accept the
suggested value.

❼ Enable the VPN tunnel: Yes (default)
❼ Outbound interface: Default gateway (or ”vlan2”)
❼ Aggressive mode: Yes
❼ IKE (phase-1) cipher suite: With aggressive mode, a specific cipher suite

must be specified (auto-mode is not possible). Simplest is to use the default
settings: AES-128 for encryption, SHA1 for authentication, and group DH 2
(1024) for the Diffie-Hellman exchange.

❼ Pre-shared secret: The common password, e.g., ”TopSecret123!”, which

should be known only by Alice and Bob.

❼ ESP cipher suite: With aggressive mode, a specific cipher suite must be

specified (auto-mode is not possible). Simplest is to use the default settings:

➞ 2015 Westermo Teleindustri AB

797

This manual is related to the following products:
See also other documents in the category Westermo Equipment: