Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

181

182

183

184

185

186

187

188

189

190

manual-sa (name; default: none) - name of manual-sa template that will be used to create SAs for

this policy

• none - no manual keys are set

dont-fragment (clear | inherit | set; default: clear) - The state of the don't fragment IP header field

• clear - clear (unset) the fields, so that packets previously marked as don't fragment got

fragmented

• inherit - do not change the field

• set - set the field, so that each packet matching the rule will not be fragmented

ph2-state (read-only: expired | no-phase2 | estabilished) - the progress of key estabilishing

• expired - there are some leftovers from previous phase2. In general it is similar to no-phase2

• no-phase2 - no keys are estabilished at the moment

• estabilished - Appropriate SAs are in place and everything should be working fine

in-accepted (integer) - how many incoming packets were passed through by the policy without an

attempt to decrypt

in-dropped (integer) - how many incoming packets were dropped by the policy without an attempt

to decrypt

out-accepted (integer) - how many outgoing packets were passed through by the policy without an

attempt to encrypt

out-dropped (integer) - how many outgoing packets were dropped by the policy without an

attempt to encrypt

encrypted (integer) - how many outgoing packets were encrypted by the policy

not-encrypted (integer) - how many outgoing packets the policy attempted to encrypt. but

discarded for any reason

decrypted (integer) - how many incoming packets were decrypted by the policy

not-decrypted (integer) - how many incoming packets the policy attempted to decrypt. but

discarded for any reason

Notes

All packets are IPIP encapsulated in tunnel mode, and their new IP header src-address and

dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use

tunnel mode (id est you use transport mode), then only packets whose source and destination

addresses are the same as sa-src-address and sa-dst-address can be processed by this policy.

Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts

that established security associations). To encrypt traffic between networks (or a network and a

host) you have to use tunnel mode.

It is good to have dont-fragment cleared because encrypted packets are always bigger than original

and thus they may need fragmentation.

If you are using IKE to establish SAs automatically, then policies on both routers must exactly

match each other, id est src-address=1.2.3.0/27 on one router and dst-address=1.2.3.0/28 on

another would not work. Source address values on one router MUST be equal to destination address

values on the other one, and vice versa.

Example