Guidelines for using IPSec
Use of IPSec and other VPNs are strongly discouraged over the Iridium network, as they can result in large data use and high bills.
IPSec is a protocol for creating an encrypted and authenticated tunnel (aka VPN) between two devices or gateways across the internet.
The RockREMOTE does not have built-in support for IPSec, however it is possible for a local device to establish an IPSec link over Iridium and/or Cellular to a fixed server.
Limitations
- NAT-T (NAT traversal) mode must be used
- Raw AH and ESP packets will not pass through the RockREMOTE
- At most one local device can be configured to allow initiation from the fixed end of the IPSec tunnel
IPSec settings
Required
- NAT-T: enabled
Reccomended
- IKE: IKEv2
- MOBIKE: enabled (when used on both Iridium and Cellular failover)
When using Iridium, background traffic sent while there is no real data to transfer must be avoided. You must either:
- Only setup the IPSec tunnel when data needs to be transferred, then tear it down again, \ and/or
- Turn off NAT-T keepalive, DPD detection, and anything else that would prevent the Iridium connection from going into idle mode
RockREMOTE settings
The LAN IP subnet must not overlap with the IP range which is being tunneled in each direction.
If the device is selected as 1:1 NAT, nothing further needs to be done.
Outbound rules
- UDP port 500
- UDP port 4500
Port forward rules
These are only needed if the IPSec tunnel needs to be initiated from the fixed side, rather than the RockREMOTE side.
- UDP port 500 --> 500
- UDP port 4500 --> 4500