“Router“ (IPsec cannot be used in the Bridge mode)
“Base Driven“ (The protocol can also be set as “Flexible”, but this example utilizes the Base Driven Protocol, BDP)
“10.10.10.131/24” (common subnet for all RipEX units in this example)
“436.360.000 MHz” (configure any frequency, but the same among all RipEX units – simplex or duplex scenarios are both possible)
“25 kHz” (configure any spacing, but this must be the same for all units)
“83.33 | 16DEQAM” (use the same “type” for all units, but otherwise, configure as preferred)
|RF power (W)|
“0.5 W” (set the minimum possible RF power for tests using dummy loads on your desk – laboratory tests)
“192.168.131.238/24” (set the Ethernet IP/Mask)
“QAM” (must be the same among all RipEX units)
“83.33 kbps | 16DEQAM” (the default modulation rate)
8 remote units are configured, but only 2 of them are activated due to the simplicity of this example. The Modulation rate can be set for each link individually, as well as FEC, ACK, Retries or CTS retries. The connection is “Direct” for all units.
The Peer IP address can either be the Radio IP or Ethernet IP (if the remote end-point is RipEX). Correct routing rules must be configured for remote end-point accessibility, i.e. 192.168.1.1/32 and 192.168.2.1/32. Otherwise, RipEX-Base does not know a route to the other RipEX’s Ethernet IPs.
In the following step (IPsec configuration), interconnection of local and remote subnets via IPsec tunnels will be configured. Correct routing MUST be configured, otherwise, the traffic between remote Ethernet subnets will be filtered and discarded. I.e. for each planned remote subnet which should be reachable via IPsec, a correct routing must be set.
If the IPsec is down, there are automatic firewall rules blocking such traffic to avoid unencrypted data being sent from the RipEX unit. In our example, if the tunnel is down, RipEX-Base blocks all the traffic coming from the 192.168.131.0/24 network to 192.168.1.0/24 and/or 192.168.8.0/24 networks. This traffic can only be forwarded if an IPsec tunnel is used (so it’s up and running).
192.168.1.0/24 via 10.10.10.1 (connection to RipEX1-remote)
192.168.8.0/24 via 10.10.10.8 (connection to RipEX8-remote)
Once correct routing rules are connected on remote units, Ethernet-to-Ethernet connectivity is ready.
There is also a Default gateway configured (192.168.131.254). This route can be omitted completely if not required for any other purpose (e.g. accessibility of this unit via Ethernet from other subnets).
“IKEv2” (IKEv1 is also implemented)
“192.168.1.1” (Ethernet IP address of “RipEX1-remote”)
“192.168.8.0/24 (local) <-> 192.168.1.0/24” (a selector for RipEX1-remote and RipEX2-remote connectivity over IPsec)
“192.168.131.0/24 (local) <-> 192.168.1.0/24” (a basic selector for Ethernet to Ethernet accessibility over IPsec)
“Passive” (it waits for incoming connections from remote units)
|Dead Peer Detection|
“On” (check every 30 seconds and if there is no accessibility of remote end-point, close the connection and wait for re-establishment, i.e. “Hold” option)
|Phase 1 – IKE|
“Group 15” (default)
|SA lifetime [s]|
|Phase 2 – IPsec|
“Group 15” (default)
|SA lifetime [s]|
“Pass phrase” (default)
“RacomRipEX” (can be configured as required, but must be the same on both units)
The second tunnel has the same parameters except for:
“192.168.8.1” (“RipEX8-remote” Ethernet IP)
“192.168.1.0/24 (local) <-> 192.168.8.0/24” (a selector for RipEX1-remote and RipEX2-remote connectivity over IPsec)
“192.168.131.0/24 (local) <-> 192.168.8.0/24” (a basic selector for Ethernet to Ethernet reachability over IPsec)
NOTE: The start states should not be “Start” at both tunnel end-points, because it might happen that both end-points will try to initiate the connection at the same time and thus create and delete SAs until resolved. Do not use a “Passive” mode at both end-points – no tunnel would be initiated at all.
Once configured and applied, the tunnels need the remote units to be configured as well, otherwise the tunnels cannot be established.