About NAT traversal

NAT (Network Address Translation) converts private IP addresses into routable public IP addresses. The DFL-500 NPG uses NAPT (Network Address Port Translation), in which both IP addresses and ports are mapped. Mapping both components allows multiple private IP addresses to use a single public IP address.

Because a NAT device modifies the original IP address of an IPSec packet, the packet fails an integrity check. This failure means that IPSec VPN does not work with NAT devices.

NAT traversal solves this problem by encapsulating the IPSec packet within a UDP packet. Encapsulating the IPSec packet allows NAT to process the packet without changing the original IPSec packet.

Both ends of a gateway must have the same NAT traversal setting. Each end can have different keepalive frequencies.

Adding an AutoIKE key VPN tunnel

Add an AutoIKE key tunnel to specify the parameters used to create and maintain a VPN tunnel that has been started by a remote gateway configuration.

To add an AutoIKE key VPN tunnel:

Go to VPN > IPSEC > AutoIKE Key .

Select New to add a new AutoIKE key VPN tunnel.

Configure the AutoIKE key VPN tunnel.

Tunnel Name

Remote Gateway

P2 Proposal

Enable replay detection

Enable perfect forward secrecy (PFS)

DH Group

Keylife

Enter a name for the tunnel. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed.

Select a STATIC or a DIALUP remote gateway to associate with the VPN tunnel.

Select a static remote gateway if you are configuring IPSec redundancy. See Configuring IPSec redundancy.

If you select a static gateway, you can select up to three remote gateways. To decrease the number of remote gateways, select the minus sign. To increase the number of remote gateways, select the plus sign.

Select up to three encryption and authentication algorithm combinations to propose for phase 2. Two are selected by default. To decrease the number of combinations selected, select the minus sign. To increase the number of combinations selected, select the plus sign. See About the P2 proposal.

Select Enable replay detection to prevent IPSec replay attacks during phase 2. See About replay detection.

Select Enable perfect forward secrecy (PFS) to improve the security of phase 2 keys. See About perfect forward secrecy (PFS).

Select the Diffie-Hellman group to propose for phase 2 of the IPSec VPN connection. You can select one DH group. Select 1, 2, or 5. See About DH groups.

Specify the keylife for phase 2. The keylife causes the phase 2 key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed.

When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes.

DFL-500 User Manual

57

 

Page 56 Page 58
Page 57
Image 57
D-Link DFL-500 user manual Adding an AutoIKE key VPN tunnel, About NAT traversal, Go to VPN Ipsec AutoIKE Key
Page 56 Page 58
Top Page Image Contents