RipEX-Base Configuration


Print version

3. RipEX-Base Configuration

RipEX-Base Settings

Fig. 3.1: RipEX-Base Settings


Unit name


Operating mode

“Router“ (IPsec cannot be used in the Bridge mode)

Radio protocol

“Base Driven“ (The protocol can also be set as “Flexible”, but this example utilizes the Base Driven Protocol, BDP)

Station type

“Base” (detailed configuration in Fig. 3.2 RipEX-Base Radio protocol settings )


“” (common subnet for all RipEX units in this example)

TX/RX frequency

“436.360.000 MHz” (configure any frequency, but the same among all RipEX units – simplex or duplex scenarios are both possible)

Channel spacing

“25 kHz” (configure any spacing, but this must be the same for all units)

Modulation rate

“83.33 | 16DEQAM” (use the same “type” for all units, but otherwise, configure as preferred)

RF power (W)

“0.5 W” (set the minimum possible RF power for tests using dummy loads on your desk – laboratory tests)


“” (set the Ethernet IP/Mask)

RipEX-Base Radio protocol settings

Fig. 3.2: RipEX-Base Radio protocol settings


Radio protocol

“Base driven”

Station type


Modulation type

“QAM” (must be the same among all RipEX units)

Modulation rate

“83.33 kbps | 16DEQAM” (the default modulation rate)


8 remote units are configured, but only 2 of them are activated due to the simplicity of this example. The Modulation rate can be set for each link individually, as well as FEC, ACK, Retries or CTS retries. The connection is “Direct” for all units.

RipEX-Base Routing

Fig. 3.3: RipEX-Base Routing

The Peer IP address can either be the Radio IP or Ethernet IP (if the remote end-point is RipEX). Correct routing rules must be configured for remote end-point accessibility, i.e. and Otherwise, RipEX-Base does not know a route to the other RipEX’s Ethernet IPs.

In the following step (IPsec configuration), interconnection of local and remote subnets via IPsec tunnels will be configured. Correct routing MUST be configured, otherwise, the traffic between remote Ethernet subnets will be filtered and discarded. I.e. for each planned remote subnet which should be reachable via IPsec, a correct routing must be set.

If the IPsec is down, there are automatic firewall rules blocking such traffic to avoid unencrypted data being sent from the RipEX unit. In our example, if the tunnel is down, RipEX-Base blocks all the traffic coming from the network to and/or networks. This traffic can only be forwarded if an IPsec tunnel is used (so it’s up and running).

  • via (connection to RipEX1-remote)

  • via (connection to RipEX8-remote)

Once correct routing rules are connected on remote units, Ethernet-to-Ethernet connectivity is ready.

There is also a Default gateway configured ( This route can be omitted completely if not required for any other purpose (e.g. accessibility of this unit via Ethernet from other subnets).

RipEX-Base IPsec configuration summary

Fig. 3.4: RipEX-Base IPsec configuration summary

In Fig. 3.4, two IPsec associations are already configured and running. See Fig. 3.5 for the tunnel configuration. Both tunnels are configured in the same way.

RipEX-Base IPsec association configuration #1

Fig. 3.5: RipEX-Base IPsec association configuration #1


IKE version

“IKEv2” (IKEv1 is also implemented)

Peer address

“” (Ethernet IP address of “RipEX1-remote”)

Local ID


Remote ID


Traffic selectors

“ (local) <->” (a selector for RipEX1-remote and RipEX2-remote connectivity over IPsec)

“ (local) <->” (a basic selector for Ethernet to Ethernet accessibility over IPsec)

Start state

“Passive” (it waits for incoming connections from remote units)


“On” (default)

Dead Peer Detection

“On” (check every 30 seconds and if there is no accessibility of remote end-point, close the connection and wait for re-establishment, i.e. “Hold” option)

Phase 1 – IKE

Authentication method


Encryption algorithm

“AES128” (default)

Integrity algorithm

“SHA256” (default)


“Group 15” (default)


“Off” (default)

SA lifetime [s]

“14400” (default)

Phase 2 – IPsec

Encryption algorithm

“AES128” (default)

Integrity algorithm

“SHA256” (default)


“Group 15” (default)

IPcomp compression

“Off” (default)

SA lifetime [s]

“3600” (default)

Pre-shared keys


“Pass phrase” (default)

Pass phrase

“RacomRipEX” (can be configured as required, but must be the same on both units)

RipEX-Base IPsec association configuration #2

Fig. 3.6: RipEX-Base IPsec association configuration #2

The second tunnel has the same parameters except for:

Peer address

“” (“RipEX8-remote” Ethernet IP)

Peer ID


Traffic selectors

“ (local) <->” (a selector for RipEX1-remote and RipEX2-remote connectivity over IPsec)

“ (local) <->” (a basic selector for Ethernet to Ethernet reachability over IPsec)

NOTE:   The start states should not be “Start” at both tunnel end-points, because it might happen that both end-points will try to initiate the connection at the same time and thus create and delete SAs until resolved. Do not use a “Passive” mode at both end-points – no tunnel would be initiated at all.

Once configured and applied, the tunnels need the remote units to be configured as well, otherwise the tunnels cannot be established.

©  2024 RACOM s.r.o. All Rights Reserved.