IPsec Configuration¶
IPsec Global Options¶
Global IPsec options are shared between all IPsec tunnels. Currently the only global settins are related to EAP-RADIUS.
- ipsec global-options eap-radius server-group <name>:
Configures a RADIUS server group TNSR will use to authenticate connecting remote access users on tunnels configured with
eap-radius
in their authentication settings (IKE Authentication).- ipsec global-options eap-radius accounting enabled:
When present, TNSR will send RADIUS accounting events and data to the RADIUS server which authenticates users connecting via EAP-RADIUS. This allows the RADIUS server to track user login/logout events, amounts of data transferred, and so on.
- ipsec global-options eap-radius accounting interim-interval <interim-interval>:
Configures the interval at which TNSR will send accounting updates to the RADIUS server for ongoing connections.
IPsec Tunnel Configuration¶
The ipsec tunnel <n>
command, issued from config
mode, changes to IPsec
tunnel mode. This is denoted by config-ipsec-tunnel
in the prompt.
The identifier number for tunnel entries starts at 0
and increments by one.
To determine the next tunnel number for a new entry, run ipsec tunnel ?
and
TNSR will print the existing tunnel ID numbers.
This command creates an IPsec tunnel with an identifier of 0
:
tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tunnel)#
The remainder of the configuration is covered in the following sections.
Enable/Disable IPsec Tunnels¶
New IPsec tunnels are in a disabled state by default and must be explicitly enabled:
tnsr(config)# ipsec tunnel <n>
tnsr(config-ipsec-tunnel)# enable
Should the need arise to disable the tunnel in the future, the process is similar:
tnsr(config)# ipsec tunnel <n>
tnsr(config-ipsec-tunnel)# disable
When disabling a tunnel the configuration can remain in place, but the tunnel will not be loaded into the IPsec daemon.