Internet Key Exchange for VPNs 6-9

Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE Phase 1 messages.

Independent Phase 2 Re-keystoggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this item is set to Yes (the default), Phase 2 re-keys will be performed independently when necessary without requiring a Phase 1 re-key. If this item is set to No, each Phase 2 re-key will be preceded by a Phase 1 re-key. This item should normally be set to Yes unless the device is communicating with a non-compliant remote IPsec peer that requires that a Phase 1 re-key precede each Phase 2 re-key.

Strict Port Policy toggles whether or not IKE requires packets to originate from the IANA IKE port (500). Set to Yes, the Router will listen only to port 500 and source its packets from port 500. Set to No, the Router will return traffic to whatever port originated it.

Invalid SPI recovery

Toggling this option to Yes allows the Router to re-establish the tunnel if either the Netopia Router or the peer gateway is rebooted.

If an IPSec packet that does not have a valid SPI is received from the peer address, a new Phase 1 negotiation is initiated to the peer in order to securely transmit an invalid-SPI message. This will cause a renegotiation of new IPSec SAs.

Traffic based Dead Peer Detection

The default is No. Toggling this option to Yes allows IKE to negotiate RFC3706-based IKE “keepalives” with a remote security gateway (IKE peer) that supports them.

If this feature is enabled and negotiated with its peer, keepalive messages are sent when:

the IPSec link has not received anything in DPD Keepalive Idle Time seconds (see below), and

some IPSec traffic is sent, and

one second passes with no IPSec traffic having been received.

If the IKE peer supports the keepalives, the tunnel will reset to allow for reestablishment when the peer does not respond to the keepalive.

This permits the router to maintain its IPSec session without the requirement of constant keep alive traffic. Determination of peer liveliness is only needed during idle periods, since tunneled traffic is itself evidence of liveliness. Once enabled and negotiated, all tunnels established by the IKE phase 1 instance when the peer no longer responds to IKE keepalive messages will be killed.

When you enable this option, the next option, DPD Keepalive Idle Time (seconds), appears.

DPD Keepalive Idle Time (seconds) allows you to specify an interval, from 3 to 65535 seconds, during which IPSec traffic may be idle before the router sends a keepalive message to its peer. The default is 20 seconds.

Changing an IKE Phase 1 Profile

To make changes to an IKE Phase 1 Profile, select IKE Phase 1 Configuration from the WAN Configuration menu, and press Return.

Page 185
Image 185
Motorola Enterprise Series Routers, 6161252-00-01 manual Changing an IKE Phase 1 Profile