About NAT traversal
NAT (Network Address Translation) converts private IP addresses into routable public IP addresses. The
Because a NAT device modifies the original IP address of an IPSec packet, the packet fails an integrity check. This failure means that IPSec VPN does not work with NAT devices.
NAT traversal solves this problem by encapsulating the IPSec packet within a UDP packet. Encapsulating the IPSec packet allows NAT to process the packet without changing the original IPSec packet.
Both ends of a gateway must have the same NAT traversal setting. Each end can have different keepalive frequencies.
Adding an AutoIKE key VPN tunnel
Add an AutoIKE key tunnel to specify the parameters used to create and maintain a VPN tunnel that has been started by a remote gateway configuration.
To add an AutoIKE key VPN tunnel:
•Go to VPN > IPSEC > AutoIKE Key .
•Select New to add a new AutoIKE key VPN tunnel.
•Configure the AutoIKE key VPN tunnel.
Tunnel Name
Remote Gateway
P2 Proposal
Enable replay detection
Enable perfect forward secrecy (PFS)
DH Group
Keylife
Enter a name for the tunnel. The name can contain numbers
Select a STATIC or a DIALUP remote gateway to associate with the VPN tunnel.
Select a static remote gateway if you are configuring IPSec redundancy. See Configuring IPSec redundancy.
If you select a static gateway, you can select up to three remote gateways. To decrease the number of remote gateways, select the minus sign. To increase the number of remote gateways, select the plus sign.
Select up to three encryption and authentication algorithm combinations to propose for phase 2. Two are selected by default. To decrease the number of combinations selected, select the minus sign. To increase the number of combinations selected, select the plus sign. See About the P2 proposal.
Select Enable replay detection to prevent IPSec replay attacks during phase 2. See About replay detection.
Select Enable perfect forward secrecy (PFS) to improve the security of phase 2 keys. See About perfect forward secrecy (PFS).
Select the
Specify the keylife for phase 2. The keylife causes the phase 2 key to expire after a specified amount of time, after a specified number of kbytes of data have been processed by the VPN tunnel, or both. If you select both, the key does not expire until both the time has passed and the number of kbytes have been processed.
When the key expires, a new key is generated without interrupting service. P2 proposal keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes.
57 | |
|