User's Manual
Table Of Contents
- RipEX2 Radio modem & Router
- Table of Contents
- Important Notice
- 1. Quick guide
- 2. Product
- 3. Accessories
- 4. Installation
- 5. RipEX2 in detail
- 6. Web interface
- 7. Settings
- 7.1. Interfaces
- 7.1.1. Ethernet
- 7.1.2. Radio
- 7.1.3. COM
- 7.1.4. Terminal servers
- 7.1.5. Cellular
- 7.2. Routing
- 7.2.1. Static
- 7.2.2. OSPF
- 7.2.2.1. Description
- 7.2.2.2. Common - Common settings
- 7.2.2.3. Network - Areas and interfaces - Areas
- 7.2.2.4. Network - Areas and interfaces - Interfaces
- 7.2.2.5. Network - Areas and interfaces - Neighbors
- 7.2.2.6. Network - Areas and interfaces - Networks
- 7.2.2.7. Static rules
- 7.2.2.8. Import filter
- 7.2.2.9. Export filter
- 7.2.3. BGP
- 7.3. Firewall
- 7.4. VPN
- 7.5. Security
- 7.6. Device
- 7.7. Advanced
- 7.1. Interfaces
- 8. Diagnostics
- 9. Technical parameters
- 10. Safety, regulations, warranty
- 10.1. Frequency
- 10.2. Safety distance
- 10.3. High temperature
- 10.4. Battery disposal
- 10.5. Instructions for Safe Operation of Equipment
- 10.6. SW license
- 10.7. EU Compliance
- 10.8. Compliance Federal Communications Commission and Innovation, Science and Economic Development Canada
- 10.9. Compliance ANATEL Brasil
- 10.10. Warranty
- 10.11. RipEX2 Availability and service life time
- 10.12. RipEX2 maintenance
- Appendix A. Abbreviations
- Index
- Revision History
Although there are 2 modes of operation RipEX2 only offers Tunnel mode. In Tunnel mode, the entire
IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet (ESP – Encap-
sulating Security Payloads) with a new IP header.
Symmetrical cryptography is used to encrypt the packets. The symmetric keys must be safely delivered
to the peer. In order to maintain a secure connection, symmetric keys must be regularly exchanged.
The protocol used for secure key exchange is IKE (Internet Key Exchange). Both IKE version 1 and
the newer version 2 are available in RipEX2.
IKE protocol communication with the peer is established using UDP frames on port 500. However, if
NAT-T (NAT Traversal) or MOBIKE (MOBile IKE) are active, the UDP port 4500 is used instead.
Note
NAT-T is automatically recognized by IPsec implementation in RipEX2.
The IPsec tunnel is provided by Security Association (SA). There are 2 types of SA:
• IKE SA: IKE Security Association providing SA keys exchange with the peer.
• CHILD SA: IPsec Security Association providing packet encryption.
Every IPsec tunnel contains 1 IKE SA and at least 1 CHILD SA.
Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication
method: Both link partners share the same key (password).
As and when the CHILD SA expires, new keys are generated and exchanged using IKE SA.
As and when the IKE SA version IKEv1 expires - new authentication and key exchange occurs and a
new IKE SA is created. Any CHILD SA belonging to this IKE SA is re-created as well.
As and when the IKE SA version IKEv2 expires one of two different scenarios might occur:
• If the re-authentication is required - the behavior is similar to IKEv1 (see above).
• It the re-authentication is not required - only new IKE SA keys are generated and exchanged.
107© RACOM s.r.o. – RipEX2 Radio modem & Router
Settings