IPsec Configuration

IPsec Global Options

Global IPsec options are shared between all IPsec tunnels. Currently the only global settins are related to EAP-RADIUS.

ipsec global-options eap-radius server-group <name>:

Configures a RADIUS server group TNSR will use to authenticate connecting remote access users on tunnels configured with eap-radius in their authentication settings (IKE Authentication).

ipsec global-options eap-radius accounting enabled:

When present, TNSR will send RADIUS accounting events and data to the RADIUS server which authenticates users connecting via EAP-RADIUS. This allows the RADIUS server to track user login/logout events, amounts of data transferred, and so on.

ipsec global-options eap-radius accounting interim-interval <interim-interval>:

Configures the interval at which TNSR will send accounting updates to the RADIUS server for ongoing connections.

IPsec Tunnel Configuration

The ipsec tunnel <n> command, issued from config mode, changes to IPsec tunnel mode. This is denoted by config-ipsec-tunnel in the prompt.

The identifier number for tunnel entries starts at 0 and increments by one. To determine the next tunnel number for a new entry, run ipsec tunnel ? and TNSR will print the existing tunnel ID numbers.

This command creates an IPsec tunnel with an identifier of 0:

tnsr(config)# ipsec tunnel 0
tnsr(config-ipsec-tunnel)#

The remainder of the configuration is covered in the following sections.

Enable/Disable IPsec Tunnels

New IPsec tunnels are in a disabled state by default and must be explicitly enabled:

tnsr(config)# ipsec tunnel <n>
tnsr(config-ipsec-tunnel)# enable

Should the need arise to disable the tunnel in the future, the process is similar:

tnsr(config)# ipsec tunnel <n>
tnsr(config-ipsec-tunnel)# disable

When disabling a tunnel the configuration can remain in place, but the tunnel will not be loaded into the IPsec daemon.