IPsec can protect data flows between a pair of hosts (host to host), between a pair of security gateways (network to network), or between a security gateway and a host (network to host). Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data source authentication, data integrity, data confidentiality (encryption), and replay protection.
Prerequisites :
- Two RUTxxx routers of each type (except RUT850 )
- At least one router must have a Public Static or Public Dynamic IP address
- At least one end device (PC, Laptop, Tablet, Smartphone) to configure routers
- (Optional) A second end device to configure and test remote LAN access
When this scheme is implemented, not only two routers will be able to communicate with each other, but end devices will also be reachable from each other and from each router.
First, let's configure a simple connection between two IPsec instances, namely RUT1 and RUT2 , as described in configuration diagram 1 above.
- Log in to the router's WebUI and go to Services → VPN → IPsec . Enter a custom name for the IPsec instance ( we are using RUT1 for this example) and click the “Add” button:
- Click the “Edit” button next to the newly created example:
- The features of both configurations are described as follows:
- Last step to configure IPsec instances These are phase settings . We left the default Phase settings for this example. If you plan to change the Phase settings, make sure they match the Phase settings of the incoming connection (both Phase 1 and Phase 2):
If you followed all the steps presented above, your configuration should be complete. But as with any other configuration, it's always wise to test the setup to make sure it's working properly. To test an IPsec connection, log into one of the routers' WebUIs and go to Services → CLI. Log in with the username: root and the administrator password of the router. From there you should be able to ping the LAN IP address of the opposite instance . To use a ping command, type ping <ip_address> and press the “Enter” key on your keyboard.