CONEL SPECTRE v3 ERT — настройка IPsec туннеля: сертификаты и параметры безопасности [73/136]

Превью страниц Страница 73 / 136

4. CONFIGURATION

Continued from previous page

Item Description

CA Certiﬁcate Certiﬁcate for X.509 authentication.

Remote Certiﬁcate Certiﬁcate for X.509 authentication.

Local Certiﬁcate Certiﬁcate for X.509 authentication.

Local Private Key Private key for X.509 authentication.

Local Passphrase Passphrase used during private key generation.

Extra Options Speciﬁes the additional parameters of the IPsec tunnel for exam-

ple, secure parameters.

Table 40: IPsec Tunnel Conﬁguration

The IPsec function supports the following types of identiﬁers (ID) for both sides of the

tunnel, Remote ID and Local ID parameters:

• IP address (for example, 192.168.1.1)

• DN (for example, C=CZ,O=Conel,OU=TP,CN=A)

• FQDN (for example, @director.conel.cz) – the @ symbol proceeds the FQDN .

• User FQDN (for example, director@conel.cz)

The certiﬁcates and private keys have to be in the PEM format. Use only certiﬁcates containing

start and stop tags.

The random time, after which the router re-exchanges new keys is deﬁned as follows:

Lifetime - (Rekey margin + random value in range (from 0 to Rekey margin * Rekey Fuzz/100))

The default exchange of keys is in the following time range:

• Minimal time: 1h - (9m + 9m) = 42m

• Maximal time: 1h - (9m + 0m) = 51m

We recommend that you maintain the default settings. When you set key exchange times

higher, the tunnel produces lower operating costs, but the setting also provides less security.

Conversely, when you reducing the time, the tunnel produces higher operating costs, but

provides for higher security.

The changes in settings will apply after clicking the Apply button.