VPN management. Remote access settings

General commands for remote access configuration

clear remote-access counters

This command resets the connection counters for OpenVPN, PPTP and L2TP over IPsec users.

Syntax

clear remote-access counters [ pptp | l2tp | openvpn ] [ server <SERVER-NAME> ] [ username <USER-NAME> ] [ ip-address <ADRR> ]

Parameters

<SERVER-NAME> – OpenVPN, PPTP or L2TP over IPsec server profile name;

<USER-NAME> – OpenVPN, PPTP or L2TP over IPsec user name;

<ADDR> – OpenVPN, PPTP or L2TP over IPsec user IP address.

When executing the command without a parameter, all the counters of OpenVPN, PPTP and L2TP over IPsec user connections will be reset.

Required privilege level

10

Command mode

ROOT

Example

esr# clear remote-access counters

CODE

clear remote-access session

This command ends the connection for OpenVPN, PPTP and L2TP over IPsec users.

Syntax

clear remote-access session [ pptp | l2tp | openvpn] [ server <SERVER-NAME> ] [ username <USER-NAME> ] [ip-address <ADRR> ]

Parameters

<SERVER-NAME> – OpenVPN, PPTP or L2TP over IPsec server profile name;

<USER-NAME> – OpenVPN, PPTP or L2TP over IPsec user name;

<ADDR> – OpenVPN, PPTP or L2TP over IPsec user IP address. When executing the command without a parameter, all OpenVPN, PPTP and L2TP over IPsec connections will be ended.

Required privilege level

10

Command mode

ROOT

Example

esr# clear remote-access session

CODE

description

This command changes the description of the OpenVPN, PPTP and L2TP profile over IPsec servers.

The use of a negative form (no) of the command removes a profile description.

Syntax

description <DESCRIPTION>

no description

Parameters

<DESCRIPTION> – profile description, set by the string of up to 255 characters.

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

CONFIG-OPENVPN-SERVER

Example

Set the description for PPTP server profile:

esr(config-pptp-server)# description "Our remote workers"

CODE

enable

This command activates the configured remote access server profile.

The use of a negative form (no) of the command disables the configurable profile.

Syntax

[no] enable

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

CONFIG-OPENVPN-SERVER

Example

esr(config-pptp-server)# enable

CODE

encryption mppe

This command enables Microsoft Point-to-Point Encryption (MPPE) encryption for PPTP connections.

The use of a negative form (no) of the command disables the encryption.

Syntax

[no] encryption mppe

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG-PPTP-SERVER

Example

esr(config-pptp-server)# encryption mppe

CODE

remote-access

This command creates a remote access server profile.

The use of a negative form (no) of the command removes a specified profile.

Syntax

[no] remote-access <SERVER-TYPE> <NAME>

Parameters

<SERVER-TYPE> – remote access server type. May take following values: l2tp, openvpn, pptp

<NAME> – remote access server profile name, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG

Example

esr(config)# remote-access l2tp remote-workers
esr(config-l2tp-server)#

CODE

show remote-access configuration

The command displays the parameters of the OpenVPN, PPTP and L2TP profiles over IPsec servers.

Syntax

show remote-access configuration { pptp | l2tp | openvpn } [ <NAME> ]

Parameters

<SERVER-NAME> – OpenVPN, PPTP or L2TP over IPsec server profile name;

When executing the command without a parameter, all OpenVPN, PPTP and L2TP over IPsec server parameters will be shown.

Required privilege level

10

Command mode

ROOT

Example

esr# show remote-access configuration pptp pptp1
State:                     Enabled
Description:               --
Security zone:             trusted
Authentication mode:       local
MTU:                       1500
Local address:             192.168.1.1
Remote address:            rem_pptp(10.0.10.20-10.0.10.40)
Outside address:           115.0.0.1
DNS server:                --
WINS server:               --
   Users
   ~~~~~
#     Name                   State      Encrypted password
---   --------------------   --------   ------------------------------
0     pptp                   Enabled    8CB5107EA7005AFF
1     petr                   Enabled    CCE5513EE45A1EAC

CODE

show remote-access counters

This command displays the connection counters for OpenVPN, PPTP and L2TP over IPsec users.

Syntax

show remote-access counters [ pptp | l2tp | openvpn ] [ server <SERVER-NAME> ] [ username <USER-NAME> ] [ ip-address <ADRR> ]

Parameters

<SERVER-NAME> – PPTP or L2TP over IPsec server profile name;

<USER-NAME> – OpenVPN, PPTP or L2TP over IPsec user name;

<ADDR> – OpenVPN, PPTP or L2TP over IPsec user IP address.

When executing the command without a parameter, all the counters of OpenVPN, PPTP and L2TP over IPsec user connections will be shown.

Required privilege level

10

Command mode

ROOT

Example

esr# show remote-access counters
User            IP-address        UC recv      Bytes recv   Err recv     MC recv
-------------   ---------------   ----------   ----------   ----------   ----------
ivan            10.20.20.5        262          25365        0            0
fedor           20.20.20.160      59           5236         0            0
User            IP-address        UC sent      Bytes sent   Err sent
-------------   ---------------   ----------   ----------   ----------
ivan            10.20.20.5        249          29298        0
fedor           20.20.20.160      16           739          0
esr# show remote-access counters l2tp
PPTP Server: remote-workers
User: ivan(10.20.20.5)
 Packets received:               231
 Bytes received:                 22229
 Dropped on receive:             0
 Receive errors:                 0
 Multicasts received:            0
 Receive length errors:          0
 Receive buffer overflow errors: 0
 Receive CRC errors:             0
 Receive frame errors:           0
 Receive FIFO errors:            0
 Receive missed errors:          0
 Receive compressed:             0
 Packets transmitted:            189
 Bytes transmitted:              21858
 Dropped on transmit:            0
 Transmit errors:                0
 Transmit aborted errors:        0
 Transmit carrier errors:        0
 Transmit FIFO errors:           0
 Transmit heartbeat errors:      0
 Transmit window errors:         0
 Transmit comressed:             0
 Collisions:                     0

CODE

show remote-access status

This command displays the OpenVPN, PPTP and L2TP over IPsec user connections status.

Syntax

show remote-access status [ pptp | l2tp | openvpn ] [ server <SERVER-NAME> ] [ username <USER-NAME> ] [ ip-address <ADRR> ]

Parameters

<SERVER-NAME> – OpenVPN, PPTP or L2TP over IPsec server profile name;

<USER-NAME> – OpenVPN, PPTP or L2TP over IPsec user name;

<ADDR> – OpenVPN, PPTP or L2TP over IPsec user IP address.

When executing the command without a parameter, all the statuses of OpenVPN, PPTP and L2TP over IPsec user connections will be shown.

Required privilege level

10

Command mode

ROOT

Example

esr# show remote-access status
User               IP-address        Server
----------------   ---------------   --------------------------------------
ivan               10.20.20.5        pptp(remote-workers)
fedor              20.20.20.160      l2tp(remote-workers-l2tp)
Count sessions: 2

CODE

L2TP over IPsec/PPTP server configuration

authentication mode

This command sets the authentication mode for remote users connecting via PPTP or L2TP over IPsec.

The use of a negative form (no) of the command removes a set mode.

Syntax

authentication mode { local | radius }

no authentication mode

Parameters

local - authentication mode using the local user base of the configured profile.
radius - the mode in which user authentication passes through a RADIUS server.

Required privilege level

15

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# authentication mode local

CODE

authentication method

This command allows the usage of the authentication mode for remote users connecting via PPTP or L2TP over IPsec.

The use of a negative form (no) of the command removes a set mode.

Syntax

[no] authentication method <METHOD>

Parameters

<METHOD> – authentication method, possible values: [chap, mschap, mschap-v2, eap, pap].

Default value

Only chap is allowed

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# authentication method mschap

CODE

dns-servers

This command specifies the list of DNS servers that remote users using PPTP and L2TP over IPsec will use.

The use of a negative form (no) of the command removes configured DNS server addresses.

Syntax

dns-servers object-group <NAME>

no dns-servers

Parameters

<NAME> – name of IP addresses profile that contains addresses of required DNS servers, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# dns-servers object-group pptp_dns

CODE

dscp

The command sets the DSCP code value for the use in IP headers of PPTP and L2TP over IPsec server outgoing packets.

The use of a negative form (no) of the command sets the default DSCP value.

Syntax

dscp <DSCP>

no dscp

Parameters

<DSCP> – DSCP code value, takes values in the range of [0..63].

Default value

32

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# dscp 40

CODE

ipsec authentication method

This command selects the key authentication method for the IKE connection. Message authentication by key is used when an IKE connection is established. The key is set by the 'ipsec authentication pre-shared-key' command (see subsection ipsec authentication pre-shared-key).

The use of a negative form (no) of the command sets the default value.

Syntax

ipsec authentication method pre-shared-key

no ipsec authentication method

Parameters

pre-shared-key – authentication method using pre-received encryption keys.

Required privilege level

15

Command mode

CONFIG-L2TP-SERVER

Example

esr(config-l2tp-server)# ipsec authentication method pre-shared-key

CODE

ipsec authentication pre-shared-key

This command specifies a shared secret authentication key that should be the same for both parties of the tunnel.

The use of a negative form (no) of the command removes a set key.

Syntax

ipsec authentication pre-shared-key { ascii-text { <TEXT> | encrypted <ENCRYPTED-TEXT> }| hexadecimal {<HEX> | encrypted <ENCRYPTED-HEX> } }

no ipsec authentication pre-shared-key

Parameters

<TEXT> – string [1..64] ASCII characters.

<HEX> – number, [1..32] bytes size, set by the string of [2..128] characters in hexadecimal format (0xYYYY ...) or (YYYY ...).

<ENCRYPTED-TEXT> – encrypted password, [1..32] bytes size, set by the string of [2..128] characters.

<ENCRYPTED-TEXT> – encrypted number, [2..64] bytes size, set by the string of [2..256] characters.

Default value

None

Required privilege level

15

Command mode

CONFIG-L2TP-SERVER

Example

esr(config-l2tp-server)# ipsec authentication pre-shared-key ascii-text password

CODE

local-address

This command specifies the IP address used by the PPTP or L2TP over IPsec server as the local IP address of the tunnel.

The use of a negative form (no) of the command removes configured tunnel local IP address.

Syntax

local-address { object-group <NAME> | ip-address <ADDR> }

no local-address

Parameters

<NAME> – name of IP addresses profile that contains local IP address of the tunnel, set by the string of up to 31 characters.

<ADDR> – local IP address of the tunnel, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# local-address object-group pptp_local

CODE

mtu

This command specifies the MTU for the interfaces that will be created when remote users connect using PPTP and L2TP over IPsec.

The use of a negative form (no) of the command sets the default MTU value.

Syntax

mtu <MTU>

no mtu

Parameters

<MTU> – MTU value, takes values in the range of [1280..1500].

Default value

1500

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# mtu 1400

CODE

outside-address

This command specifies the IP address that the PPTP or L2TP over IPsec server will listen on for incoming connections.

The use of a negative form (no) of the command removes the configured listening address.

Syntax

outside-address { object-group <NAME> | ip-address <ADDR> | interface { <IF> | <TUN> } }

no outside-address

Parameters

<NAME> – the name of the IP address profile containing the address that PPTP or L2TP over IPsec will listen on for incoming connections, is specified in a string of up to 31 characters.

<ADDR> – the IP address that PPTP or L2TP over IPsec will listen on for incoming connections, defined as AAA.BBB.CCC.DDD, where each part takes the values [0..255].

<IF> – an interface, specified in the form described in Section Types and naming order of router interfaces.

<TUN> – the name of the tunnel is specified as described in section Types and naming order of router tunnels;

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# outside-address object-group pptp_outside

CODE

remote-address

This command specifies a list of IP addresses from which PPTP or L2TP over IPsec server issues dynamic IP addresses to remote users.

The use of a negative form (no) of the command removes the remote user IP addresses list.

Syntax

remote-address { object-group <NAME>| address-range <FROM-ADDR>-<TO-ADDR> }

no remote-address

Parameters

<NAME> – name of IP addresses profile that contains remote user IP addresses list, set by the string of up to 31 characters.

<FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

<TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# remote-address object-group pptp_remote

CODE

remote network

The command is used to set an IP address of a subnet available when a dynamic PPTP/L2TP tunnel is created.

The use of a negative form (no) of the command removes an IP address of a subnet available via dynamic PPTP/L2TP tunnel creation.

Syntax

remote network <ADDR/LEN>

no remote network

Parameters

<ADDR/LEN> – IP subnet of a recipient. The parameter is defined as AAA.BBB.CCC.DDD/EE where each part AAA-DDD takes values of [0..255] and EE takes values of [1..32].

Required privilege level

10

Command mode

CONFIG-PPP-USER

Example

esr(config-ppp-user)# remote network 192.168.54.0/24

CODE

remote networks

The command is used to set a list of IP addresses of subnets available when a dynamic PPTP/L2TP tunnel is created.

The use of a negative form (no) of the command removes an IP address of a subnet available via dynamic PPTP/L2TP tunnel creation.

Syntax

remote networks <OBJ-GROUP-NETWORK-NAME>

no remote network

Parameters

<OBJ-GROUP-NETWORK-NAME> – IP/IPv6 addresses profile name, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG-PPP-USER

Example

esr(config-ppp-user)# remote network 192.168.54.0/24

CODE

username

This command creates a user to connect to PPTP or L2TP over IPsec servers. After executing command, the router enters the PPP user password configuration mode.

The use of a negative form (no) of the command removes a specified user.

The command sets the command line mode to PPTP USER or L2TP USER depending on the current command mode.

Syntax

[no] username <NAME>

Parameters

<NAME> – user name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# username fedor
esr(config-pptp-user)#

CODE

wins-servers

This command specifies the list of WINS servers that remote users using PPTP and L2TP over IPsec will use.

The use of a negative form (no) of the command removes configured WINS server addresses.

Syntax

wins-servers object-group <NAME>

no wins-servers

Parameters

<NAME> – name of IP addresses profile that contains addresses of required WINS servers, set by the string of up to 31 characters.

Required privilege level

10

Command mode

CONFIG-PPTP-SERVER

CONFIG-L2TP-SERVER

Example

esr(config-pptp-server)# wins-servers object-group l2tp_wins

CODE

OpenVPN server configuration

address-range

This command specifies the IP addresses list from which dynamic IP addresses are leased to remote users in L2 mode by OpenVPN server.

The use of a negative form (no) of the command removes the remote user IP addresses list.

Syntax

address-range <FROM-ADDR>-<TO-ADDR>

no address-range

Parameters

<FROM-ADDR> – range starting IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<TO-ADDR> – range ending IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# address-range 192.168.1.10-192.168.1.250

CODE

authentication algorithm

This command defines OpenVPN clients authentication algorithm.

The use of a negative form (no) of the command sets the default authentication mode.

Syntax

authentication algorithm <ALGORITHM>

no authentication-algorithm

Parameters

<ALGORITHM> – authentication algorithm:

8-128 bits key size: md4, rsa-md4, md5, rsa-md5, mdc2, rsa-mdc2
8-160 bits key size: sha, sha1, rsa-sha, rsa-sha1, rsa-sha1-2, dsa, dsa-sha, dsa-sha1, dsa-sha1-old, ripemd160, rsa-ripemd160, ecdsa-with-sha1
8-224 bits key size: sha-224, rsa-sha-224
8-256 bits key size: sha-256, rsa-sha-256
8-384 bits key size: sha-384, rsa-sha-384
8-512 bits key size: sha-512, rsa-sha-512, whirlpool

Default value

sha

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# authentication algorithm cleartext

CODE

bridge-group

This command includes client connections via OpenVPN to the L2 domain.

The use of a negative form (no) of the command excludes connections from the L2 domain.

Syntax

bridge-group <BRIDGE-ID>

no bridge-group

Parameters

<BRIDGE-ID> – bridge identifying number. Specified in the form described in Section Types and naming order of router interfaces.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# bridge-group 15

CODE

certificate

This command specifies certificates and keys. Certificates and keys must be previously copied to the router using the copy command described in section copy.

The use of a negative form (no) of the command removes a specified certificate from the profile.

Syntax

certificate <CERTIFICATE-TYPE> <NAME>

no certificate <CERTIFICATE-TYPE>

Parameters

<CERTIFICATE-TYPE> – certificate or key type, may take the following values:

ca – Certificate Authority;
crl – Certificate Revocation List;
dh – Diffie-Hellman key;
server-crt – public server certificate;
server-key – private server key;
ta – HMAC key
client-key – OPENVPN client private key;
client-crt – OPENVPN client certificate.

<NAME> – certificate or key name, set by the string of up to 31 characters.

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# certificate ca ca.crt

CODE

client-isolation

This commands enables blocking of data transfer between clients.

The use of a negative form (no) of the command removes blocking.

Syntax

[no] client-isolation

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# client-isolation

CODE

client-max

This command sets the maximum number of simultaneous user sessions.

The use of a negative form (no) of the command sets the default value.

Syntax

client-max <VALUE>

no client-max

Parameters

<VALUE> – maximum amount of users, takes values of [1..65535].

Default value

Not limited.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# clients-max 500

CODE

compression

This command enables the mechanism of transmitted data compression between clients and the OPENVPN server.

The use of a negative form (no) of the command disables the mechanism of transmitted data compression.

Syntax

[no] compression

Parameters

The command does not contain parameters.

Default value

Disabled.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# compression

CODE

dns-server

This command specifies the list of DNS servers that will be used by remote users.

The use of a negative form (no) of the command removes configured DNS server addresses.

Syntax

dns-server <ADDR>

no dns-server { <ADDR> | all }

Parameters

<ADDR> – DNS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

all – remove all configured IP address ranges.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# dns-server 1.1.1.1

CODE

duplicate-cn

The command allows connecting several users with one certificate.

The use of a negative form (no) of the command prohibits the use of the same certificate by several users.

Syntax

[no] duplicate-cn

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# duplicate-cn

CODE

encryption algorithm

This command selects the encryption algorithm used when data transmission.

The use of a negative form (no) of the command disables the encryption.

Syntax

encryption algorithm <ALGORITHM>

no encryption algorithm

Parameters

<ALGORITHM> – encryption protocol identifier, may take following values: des, blowfish128, aes128, des-ede, aes192, 3des, desx, aes256.

Default value

Encryption disabled.

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# encryption algorithm aes128

CODE

ip address

The command sets a static IP address for a specified user. The use of a negative form (no) of the command removes a client's static IP address.

Syntax

[no] ip address <ADDR>

Parameters

<ADDR> – IP address set in the following format:

AAA.BBB.CCC.DDD – IP address of a subnet with a mask in the prefix form where AAA-DDD take values [0..255].

Required privilege level

15

Command mode

CONFIG-OPENVPN-USER

Example

esr(config-openvpn-server)# username client
esr(config-openvpn-user)# ip address 10.10.100.15

CODE

login authentication

This command activates the user authentication list to authorize users.

The default configuration includes a list named 'default'; the list contains one authentication method – 'local'.

The use of a negative form of the command (no) disables authentication list.

Syntax

login authentication <NAME>

no login authentication

Parameters

<NAME> – list name, set by the string of up to 31 characters.

Default value

default

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# login authentication OPENVPN-LIST

CODE

network

This command defines the subnet from which IP addresses are leased to users. The first IP address on the subnet is the gateway for user sessions.

The use of a negative form (no) of the command removes this subnet.

Syntax

network <ADDR/LEN>

no network

Parameters

<ADDR/LEN> – subnet IPaddress, set in one of the following formats:

BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# network 192.168.25.0/24

CODE

port

This command sets the TCP/UDP port that the OpenVPN server will listen on.

The use of a negative form (no) of the command sets the default value.

Syntax

port <PORT>

no port

Parameters

<PORT> – TCP/UDP port, takes values of [1..65535].

Default value

1194

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# port 5000

CODE

protocol

The command sets encapsulation protocol.

The use of a negative form (no) of the command sets the default value.

Syntax

protocol <PROTOCOL>

no protocol

Parameters

<TYPE> – encapsulation type, possible values:

TCP – encapsulation in TCP segments;
UDP – encapsulation in UDP datagrams.

Default value

Stopped.

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# protocol udp

CODE

redirect-gateway

This command enables the default route advertising for OpenVPN connections, which leads to the replacement of the default route on the client side. The new default gateway will be the OpenVPN server IP address.

The use of a negative form (no) of the command disables the default route advertising.

Syntax

[no] redirect-gateway

Parameters

The command does not contain parameters.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# redirect-gateway

CODE

route

This command enables advertising of the specified subnets, the IP address of the OpenVPN server is the gateway (the first IP address from the subnet specified using the network command described in the section network).

The use of a negative form (no) of the command disables specified subnets advertising.

Syntax

route <ADDR/LEN>

no route { <ADDR/LEN> | all }

Parameters

<ADDR/LEN> – subnet IP address set in the following format:

AAA.BBB.CCC.DDD/EE – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# route 192.168.25.0/24, 192.168.26.0/24

CODE

timers holdtime

This command sets time interval after which the opposing party is considered to be unavailable. The timer starts after establishing a neighborhood relationship and starts counting from 0. The timer is reset when each reply to a keepalive message from the opposite side is received. It is recommended to set the timer value to 3 * keepalive.

The use of a negative form (no) of the command sets the default value.

Syntax

timers holdtime <TIME>

no timers holdtime

Parameters

<TIME> – time in seconds, takes values of [1..65535].

Default value

120

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# timers holdtime 360

CODE

timers keepalive

This command sets the time interval after which the connection with the opposing party will be checked.

The use of a negative form (no) of the command sets the default value.

Syntax

timers keepalive <TIME>

no timers keeaplive

Parameters

<TIME> – time in seconds, takes values of [1..65535].

Default value

10

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# timers keepalive 120

CODE

subnet

This command defines the subnet for the specified user of the OpenVPN server

The use of a negative form (no) of the command removes a bind to a specified subnet.

Syntax

[no] subnet <ADDRLEN>

Parameters

<ADDR/LEN> – subnet IP address set in the following format:

AAA.BBB.CCC.DDD/NN – network IP address with prefix mask, where AAA-DDD take values of [0..255] and EE takes values of [1..32].

Required privilege level

10

Command mode

CONFIG-OPENVPN-USER

Example

esr(config-openvpn-server)# username client
esr(config-openvpn-user)# subnet 192.168.25.128/28

CODE

tunnel

This command defines type of connection with a private network via OpenVPN server.

The use of a negative form (no) of the command removes a current value.

Syntax

tunnel <TYPE>

no tunnel

Parameters

<TYPE> – encapsulation protocol, takes the following values:

ip – point-to-point connection;
ethernet – L2 domain connection.

Default value

None

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# tunnel ip

CODE

username

The command allows switching to a specified OpenVPN user's configuration mode.

The use of a negative form (no) of the command returns default user settings.

Syntax

[no] username { <NAME> | all }

Parameters

<NAME> – user name, set by the string of up to 31 characters.

all — the key used to delete all users created before.

Required privilege level

15

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# username client
esr(config-openvpn-user)#

CODE

wins-server

This command specifies the list of WINS servers that will be used by remote users.

The use of a negative form (no) of the command removes configured WINS server addresses.

Syntax

wins-server <ADDR>

no wins-server { <ADDR> | all }

Parameters

<ADDR> – WINS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

all – remove all configured DNS server IP addresses.

Required privilege level

10

Command mode

CONFIG-OPENVPN-SERVER

Example

esr(config-openvpn-server)# wins-servers 1.1.1.1

CODE