IPsec tunnels

The Z45 Controller supports 8 concurrent IPsec tunnels. For each tunnel the configuration options below are available.

System-wide IPsec tunnel options

Parameter	Options
Tunnel Select	Tunnel to be configured ( up to 8 )
IPSEC	System level Enable/Disable of IPSEC tunnels
Security Level	Allow Internet and Secure Traffic: In this mode IP traffic addressed for the IPsec tunnel will be transmitted through the tunnel. Other traffic will continue to route over the open IP network. This setting allows web type traffic to co-exist with secure traffic on the same Z45 Controller. Allow Only Secure Traffic: In this mode only IP traffic addressed for the IPsec tunnel will be transmitted. Since this precludes the use of the standard routing feature the Routing button in the main menu is disabled in this mode of operation.

Parameter

Options

Tunnel Select

Tunnel to be configured ( up to 8 )

IPSEC

System level Enable/Disable of IPSEC tunnels

Security Level

Allow Internet and Secure Traffic: In this mode IP traffic addressed for the IPsec tunnel will be transmitted through the tunnel. Other traffic will continue to route over the open IP network. This setting allows web type traffic to co-exist with secure traffic on the same Z45 Controller.

Allow Only Secure Traffic: In this mode only IP traffic addressed for the IPsec tunnel will be transmitted. Since this precludes the use of the standard routing feature the Routing button in the main menu is disabled in this mode of operation.

Individual IPsec Tunnel Options

The remaining portion of the IPsec configuration deals with tunnel specific parameters meaning that each parameter must be set for each tunnel deployed. The configurable options can be seen in the table below.

Phase 1 and Phase 2 under IPSec Key Exchange refer to IKE Phase 1 and IKE phase 2. During IKE phase 1 IKE authenticates IPSec peers and negotiates IKE Security Associations (SAs), setting up a secure channel for negotiating IPSec SAs in phase 2.During IKE phase 2 IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers. The selection choices with this panel for Phase 1 and Phase 2 are identical but repeated so that different choices can be applied to Phase 1 and Phase 2.

Parameter	Options
Tunnel	Enable/Disable an individual tunnel
Auto-connect	Sends ICMP request as the defined interval in seconds to the router subnet to maintain the tunnel connection alive.
Local Router Definition	Local Security Type: Available option are FQDN, USER FQDN, KEY ID or NONE Security ID: The identifier corresponding to the selected security type IP Address: IP address of the remote router Subnet IP Address/Netmask: IP Address and netmask of remote router
Authentication/Encryption	Pre-Shared Key: Text string used by both ends of the tunnel for authentication. Exchange Mode: Available settings are Main or Aggressive. Defines the number of exchanges used to complete IKE Phase 1. Main is the more robust setting while aggressive mode uses few exchanges and is therefore somewhat more risky. Dead Peer Detection (DPD): Defines the intervals (in seconds) between DPD messages following idle periods. A zero (0) setting disables DPD.
IPSEC Key Exchange	Encryption: Choices are 3des, or aes128, aes192, ase256 Authentication: Choices are sha1, or md5. DH Group: Defines what size modulus to use for Diffie-Hellman calculation. Choices are 768,1024, 1536, or 2048 PFS DH Group: Choices are No PFS, 768, 1024, 1536, or 2048. You specify the Diffie – Hellman group in Phase 2 only when you select Perfect Forward Secrecy (PFS). PFS makes keys more secure because new keys are not made from previous keys. When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated. The DH group you choose for Phase 2 does not need to match the group you choose for Phase 1. SA Lifetime (Phase 1 & Phase 2): The lifetime parameter controls the duration (in minutes) for which the SA is valid. A zero (0) setting disables SA Lifetime timeouts.