User Manual: Ipsec Tunnel Industrial Cellular Router Owl 3G, Owl Lte
User Manual: Ipsec Tunnel Industrial Cellular Router Owl 3G, Owl Lte
User Manual: Ipsec Tunnel Industrial Cellular Router Owl 3G, Owl Lte
IPsec Tunnel
Industrial Cellular Router
OWL 3G, OWL LTE
Manuals and software are protected by copyright. All rights reserved. The copying,
reproduction, translation, conversion into any electronic medium or machine scannable form
is not permitted, either in whole or in part. An exception is the preparation of a backup copy
of the software for your own use.
The performance features described here are binding only if they have been expressly
agreed when the contract was made. This document was produced by Hirschmann
Automation and Control GmbH according to the best of the company's knowledge.
Hirschmann reserves the right to change the contents of this document without prior notice.
Hirschmann can give no guarantee in respect of the correctness or accuracy of the
information in this document.
Hirschmann can accept no responsibility for damages, resulting from the use of the network
components or the associated operating software. In addition, we refer to the conditions of
use specified in the license contract.
You can get the latest version of this manual on the Internet at the Hirschmann product
site (www.hirschmann.com).
Used symbols
Danger – important notice, which may have an influence on the user’s safety or the function
of the device.
Attention – notice on possible problems, which can arise in specific cases.
i
CONTENTS
Contents
1 IPsec and its protocols 1
1.1 Authentication Header (AH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Usage of Authentication Header protocol . . . . . . . . . . . . . . . . . 2
1.2 Encapsulating Security Payload (ESP) . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Usage of Encapsulating Security Payload protocol . . . . . . . . . . . . 3
3 Examples of use 8
3.1 IPsec tunnel – initiator on the router . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.1 Configuration via web interface . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.2 Detection of the successful establishment of the tunnel . . . . . . . . . . 9
3.2 IPsec tunnel – responder on the router . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.1 Configuration via web interface . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.2 Detection of the successful establishment of the tunnel . . . . . . . . . . 11
3.3 IPsec tunnel – Linux server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 IPsec tunnel – CISCO router . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.4.1 Configuration – initiator on the router . . . . . . . . . . . . . . . . . . . . 13
3.4.2 Configuration – responder on the router . . . . . . . . . . . . . . . . . . 18
3.5 IPsec tunnel – Computer with Windows . . . . . . . . . . . . . . . . . . . . . . 24
3.5.1 IPsec configuration (NCP Secure Entry Client) . . . . . . . . . . . . . . 24
3.5.2 Configuration of Hirschmann router . . . . . . . . . . . . . . . . . . . . 30
4 Recommended literature 32
ii
LIST OF FIGURES
List of Figures
1 AH – transport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 AH – tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 ESP – transport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 ESP – tunnel mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5 Overview of IPsec tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6 Configuration form of IPsec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . 7
7 IPsec tunnel – initiator on the router . . . . . . . . . . . . . . . . . . . . . . . . 8
8 Information about IPsec tunnel (initiator) . . . . . . . . . . . . . . . . . . . . . . 9
9 IPsec tunnel – responder on the router . . . . . . . . . . . . . . . . . . . . . . . 10
10 Information about IPsec tunnel (responder) . . . . . . . . . . . . . . . . . . . . 11
11 IPsec tunnel – Linux server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
12 IPsec tunnel – CISCO router . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
13 IPsec tunnel – Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
14 NCP Secure Entry Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
15 NCP Secure Entry Client – Profiles . . . . . . . . . . . . . . . . . . . . . . . . . 25
16 NCP Secure Entry Client – Edit . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
17 NCP Secure Entry Client – IPsec General Settings . . . . . . . . . . . . . . . . 26
18 NCP Secure Entry Client – Policy Editor . . . . . . . . . . . . . . . . . . . . . . 26
19 NCP Secure Entry Client – Pre-shared Key . . . . . . . . . . . . . . . . . . . . 27
20 NCP Secure Entry Client – Policy Editor . . . . . . . . . . . . . . . . . . . . . . 27
21 NCP Secure Entry Client – IPsec Policy . . . . . . . . . . . . . . . . . . . . . . 28
22 NCP Secure Entry Client – IPsec General Settings . . . . . . . . . . . . . . . . 28
23 NCP Secure Entry Client – Identities . . . . . . . . . . . . . . . . . . . . . . . . 29
24 NCP Secure Entry Client – IPsec Address Assignment . . . . . . . . . . . . . . 29
25 NCP Secure Entry Client – Add IP network . . . . . . . . . . . . . . . . . . . . 30
26 NCP Secure Entry Client – Split Tunneling . . . . . . . . . . . . . . . . . . . . . 30
27 Configuration of Hirschmann router . . . . . . . . . . . . . . . . . . . . . . . . . 31
iii
LIST OF TABLES
List of Tables
1 Overview of IPsec tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Configuration of IPsec tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 IPsec tunnel settings (initiator) . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 IPsec tunnel settings (responder) . . . . . . . . . . . . . . . . . . . . . . . . . . 10
iv
1. IPSEC AND ITS PROTOCOLS
• Encrypting – Both of sides agree on the form of packet encryption in advance. There-
after the entire packet apart from the IP header will be encrypted, alternatively the entire
packet will be encrypted and a new IP header will be added (Phase II, IPsec phase,
Quick mode). Ends with establishing of a tunnel.
IPsec consists of two basic protocols – Authentication Header (AH) and Encapsulating Se-
curity Payload (ESP). Protocols are complementary, so they are usually used simultaneously.
A significant advantage of the simultaneous use of these two protocols is a higher level of
security. Increased overhead when processing may eliminate this advantage. Part of IPsec is
also IKE (Internet Key Exchange) protocol (key management). IKE creates logical channels
which are called Security Associations (SA). These channels are always unidirectional there-
fore it is necessary to use two separate channels (SA) for duplex. IKE also supports automatic
generation and recovery of encryption keys.
1
1. IPSEC AND ITS PROTOCOLS
Tunnel mode (sometimes tunneling mode) creates a new IP header which is followed by
header of Authentication Header protocol. This is followed by the entire original datagram
packaged as new data datagram. In this mode, the AH protocol authenticates the entire data-
gram, which means that it is possible to determine whether the datagram has changed during
transmission. The main advantage of the tunnel mode is perfect protection of an encapsulated
IP datagram. Furthermore, it allows the use of private addresses.
2
1. IPSEC AND ITS PROTOCOLS
Tunnel mode (sometimes tunneling mode) creates a new IP header which is followed by
header of Encapsulating Security Payload protocol. This is followed by the entire original data-
gram packaged as new data datagram. This allows to completely protect original datagram
(in case that encryption and authentication are used). ESP trailer and optional authentication
data follow data of the original datagram.
3
2. CONFIGURATION OF IPSEC TUNNEL
Item Description
Description Name (description) of the tunnel
Remote IP Address IP address of remote side of the tunnel. It is also possible to
enter the domain name.
Remote ID Identifier (ID) of remote side of the tunnel. It consists of two
parts: hostname and domain-name.
Remote Subnet IP address of a network behind remote side of the tunnel
Remote Subnet Mask Subnet mask of a network behind remote side of the tunnel
Local ID Identifier (ID) of local side of the tunnel. It consists of two parts:
hostname and domain-name.
Local Subnet IP address of a local network
Local subnet mask Subnet mask of a local network
Encapsulation Mode IPsec mode (according to the method of encapsulation) – You
can choose tunnel (entire IP datagram is encapsulated) or trans-
port (only IP header).
Continued on next page
4
2. CONFIGURATION OF IPSEC TUNNEL
5
2. CONFIGURATION OF IPSEC TUNNEL
• Pre-shared key – sets the shared key for both sides of the
tunnel
• X.509 Certificate – allows X.509 authentication in multi-
client mode
Pre-shared Key Shared key for both sides of the tunnel to Pre-shared key au-
thenticate
CA Certificate Certificate for X.509 authentication
Remote Certificate Certificate for X.509 authentication
Local Certificate Certificate for X.509 authentication
Local Private Key Private key for X.509 authentication
Local Passphrase Passphrase for X.509 authentication
Extra Options Use this parameter to define additional parameters of the IPsec
tunnel, for example secure parameters etc.
Table 2: Configuration of IPsec tunnel
6
2. CONFIGURATION OF IPSEC TUNNEL
7
3. EXAMPLES OF USE
3. Examples of use
3.1 IPsec tunnel – initiator on the router
IP address of the SIM card inserted into Hirschmann router can be static or dynamic,
because IPsec tunnel is established by initiator on the router. In this case, Linux server
(CISCO router) offers services for IPsec tunnel therefore it must always be available on a
static IP address or on a domain name.
8
3. EXAMPLES OF USE
The following table provides an example of IPsec tunnel settings which correspond to the
figure from the beginning of this chapter:
Item Value
Remote IP Address 83.208.155.127
Remote ID ciscoasa@default.domain
Remote Subnet 192.168.1.0
Remote Subnet Mask 255.255.255.0
Local Subnet 192.168.3.0
Local Subnet Mask 255.255.255.0
Pre-shared Key test
NAT Traversal enabled
Table 3: IPsec tunnel settings (initiator)
Other parameters can be left in default settings. If the Remote IP Address parameter is
empty on one side of IPsec tunnel, then this side will wait for a connection and will not attempt
to establish a connection.
All items that are not mentioned in the sample settings and are marked with an asterisk (*)
may not be filled in. They are used to accurate identification of the tunnel.
It is possible to read the selected encryption in various stages of establishing the tunnel from
the figure above:
• IKE: 3DES_CBC_192-MD5-MODP1024
• ESP: 3DES_0-HMAC_MD5, pfsgroup = none
The highlighted part shows information about the successful establishment of IPsec tunnel.
9
3. EXAMPLES OF USE
The following table provides an example of IPsec tunnel settings which correspond to the
figure from the beginning of this page:
Item Value
Remote ID ciscoasa@default.domain
Remote Subnet 192.168.2.219
Remote Subnet Mask 255.255.255.255
Pre-shared Key test
NAT Traversal enabled
Table 4: IPsec tunnel settings (responder)
10
3. EXAMPLES OF USE
Other parameters can be left in default settings. If the Remote IP Address parameter is
empty on one side of IPsec tunnel, then this side will wait for a connection and will not attempt
to establish a connection.
All items that are not mentioned in the sample settings and are marked with an asterisk (*)
may not be filled in. They are used to accurate identification of the tunnel.
It is possible to read the selected encryption in various stages of establishing the tunnel from
the figure above:
• IKE: 3DES_CBC_192-MD5-MODP1024
• ESP: 3DES_0-HMAC_MD5, pfsgroup = none
The highlighted part shows information about the successful establishment of IPsec tunnel.
11
3. EXAMPLES OF USE
On the Linux server is needed to configure ipsec.conf and ipsec.secrets files. Configuration
of ipsec.conf file can be performed for example like this:
conn hirschmannrouter
authby=secret
type=tunnel
left=83.208.155.127
leftsubnet=192.168.1.0/24
right=172.24.68.112
rightsubnet=192.168.3.0/24
ikelifetime=3600s
keylife=3600s
pfs=no
auto=add
12
3. EXAMPLES OF USE
13
3. EXAMPLES OF USE
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain
same-security-traffic permit inter-interface
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0
192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging class auth asdm emergencies
logging class ip asdm critical
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
14
3. EXAMPLES OF USE
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set UR1 esp-3des esp-none
crypto ipsec transform-set UR2 esp-des esp-none
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set connection-type answer-only
crypto map outside_map 1 set peer 172.24.68.112
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp nat-traversal 20
vpn-sessiondb max-session-limit 1
telnet timeout 5
ssh timeout 5
console timeout 0
l2tp tunnel hello 300
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
15
3. EXAMPLES OF USE
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
!
service-policy global_policy global
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
16
3. EXAMPLES OF USE
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions none
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria
have not been met or due to some specific group policy, you do not
have permission to use any of the VPN features. Contact your IT
administrator for more information
svc none
17
3. EXAMPLES OF USE
18
3. EXAMPLES OF USE
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain
same-security-traffic permit inter-interface
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0
192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging class auth asdm emergencies
logging class ip asdm critical
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.27 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
19
3. EXAMPLES OF USE
sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set UR1 esp-3des esp-none
crypto ipsec transform-set UR2 esp-des esp-none
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_2_cryptomap
crypto map outside_map 1 set connection-type originate-only
crypto map outside_map 1 set peer 172.24.68.112
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp nat-traversal 20
vpn-sessiondb max-session-limit 1
telnet timeout 5
ssh timeout 5
console timeout 0
l2tp tunnel hello 300
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
20
3. EXAMPLES OF USE
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
!
service-policy global_policy global
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
21
3. EXAMPLES OF USE
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions none
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria
have not been met or due to some specific group policy, you do not
have permission to use any of the VPN features. Contact your IT
administrator for more information
svc none
22
3. EXAMPLES OF USE
23
3. EXAMPLES OF USE
Recommended program for Windows operating system is NCP Secure Entry Client on
which the following description is based on.
24
3. EXAMPLES OF USE
First it is necessary to create a profile for establishing IPsec tunnel. Select Configuration
tab in the menu (of NCP Secure Entry Client program) and then select Profiles item. The
following window will be open:
Add a new profile using the Add/Import button. On the second screen, you must enter the
profile name. In other cases (on the other screens) it is possible only to confirm using the Next
button (on the last screen using the Finish button) and make the necessary settings later.
Configuration of the IPsec tunnel is done by marking the profile and pressing Edit button.
25
3. EXAMPLES OF USE
Select IPsec General Settings item in the menu on the left side. Then press Police Editor. . .
button on the right side.
In the new window highlight the Pre-shared Key item (in IKE Policy section) and then press
Edit button.
26
3. EXAMPLES OF USE
This opens a window in which select encryption and hash algorithm (for example Triple
DES and MD5) and then confirm by pressing the OK button.
Now, select the only available item in IPsec Policy section of configuration window. The
item has a name ESP - AES128 - MD5. Then press Edit button.
27
3. EXAMPLES OF USE
Enter the desired name (for example IPsec) in the new window and select encryption and
hash algorithm (for example Triple DES and MD5). Then confirm it by pressing the OK button.
Go back to the main window of IPsec General Settings item and set IKE Policy and IPsec
Policy items based on the previous configuration (see figure below). IKE DH Group item will
have a value of DH-Group 2 (2014 bit).
28
3. EXAMPLES OF USE
Now, select Identities item in the menu on the left side and fill in the configuration form
as shown below. Note that the IP address corresponds to the exemplary situation from the
beginning of this section.
The same IP address (192.168.2.219 acccording to the exemplary situation) is also re-
quired on the IPsec Address Assignment page.
29
3. EXAMPLES OF USE
Press Add button on the Split Tunneling page and enter the IP address of the subnet
behind the router Hirschmann (192.168.3.0 in the exemplary situation) and relevant subnet
mask (255.255.255.0) to the newly opened window. Confirm it by pressing the OK button.
Specified data are displayed in the original window of the Split Tunneling page.
30
3. EXAMPLES OF USE
31
4. RECOMMENDED LITERATURE
4. Recommended literature
User Manual "Configuration"
32