Lantronix EMG 8500 EMG User Guide - Page 117
Routing Commands, VPN Settings
View all Lantronix EMG 8500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 117 highlights
7: Networking Note: To display the routing table, status or specific report, see the section, Status/Reports on page 354. Routing Commands Go to Routing Commands to view CLI commands which correspond to the web page entries described above. VPN Settings This page can be used to create a Virtual Private Network (VPN) tunnel to the EMG for secure communication between the EMG unit and a remote host or gateway. The EMG supports IPSec tunnels using Encapsulated Security Payload (ESP). The EMG unit supports host-to-host, net-tonet, host-to-net, and roaming user tunnels. Note: To allow VPN tunnel access if the EMG firewall is enabled, traffic to UDP ports 500 and 4500 from the remote host should be allowed, as well as protocol ESP from the remote host. The EMG provides a strongSwan-based VPN implementation (version 5.8.4 ). The EMG UI provides access to a subset of the strongSwan configuration options, and also allows upload of a custom ipsec.conf file, which gives an administrator access to most strongSwan configuration options. For more information on strongSwan, see https://www.strongswan.org and the strongSwan Documentation site. A list of Internet Key Exchange IKEv1 and IKEv2 cipher suites is available on the strongSwan Wiki. NAT Traversal is handled automatically without any special configuration. VPN related routes are installed in a separate table and can be viewed in the detailed VPN status or in the IP Routes table. When a tunnel is up, the amount of data passed through the tunnel can be viewed in the status with the bytes_i (bytes input) and bytes_o (bytes output) counters. An example of the VPN status is below (the status will vary depending on the authentication, subnets and algorithms used). For example, the status displays the IP addresses on either side of the tunnel (192.168.1.103 and 220.41.123.45), the type of authentication (pre-shared key authentication), the algorithms in use (IKEv1 Aggressive and 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024), when the tunnel will be rekeyed/SA Lifetime (rekeying in 7 hours), the bytes in and out (131 bytes_i (1 pkt, 93s ago), 72 bytes_o (1 pkt, 94s ago)), a dynamic address assigned to the console manager side of the tunnel (child: dynamic and 172.28.28.188), and the subnets on both sides of the tunnel (172.28.28.188/32 === 10.3.0.0/24 10.81.101.0/24 10.81.102.0/24 10.81.103.0/24). Connections: MyVPNConn: 192.168.1.103...220.41.123.45 IKEv1 Aggressive, dpddelay=30s MyVPNConn: local: [vpnid] uses pre-shared key authentication MyVPNConn: local: [vpnid] uses XAuth authentication: any with XAuth identity 'gfountain' MyVPNConn: remote: [220.41.123.45] uses pre-shared key authentication MyVPNConn: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): MyVPNConn[1]: ESTABLISHED 26 minutes ago, 192.168.1.103[vpnid]...220.41.123.45[220.41.123.45] MyVPNConn[1]: IKEv1 SPIs: 62c06b5b5fc3c5de_i* 74300552060118f6_r, pre-shared key+XAuth reauthentication in 2 hours EMG™ Edge Management Gateway User Guide 117