Manuals / Netopia / Computer Equipment / Network Router

Netopia 3300-ENT manual Enhanced Dead Peer Detection

Models: 3300-ENT

1 302
Download 302 pages 63.93 Kb
Page 138
Image 138

5-12 Firmware User Guide

Maximum Packet Size permits you to modify the MTU setting for the tunnel. Some ISPs require a setting of e.g. 1492 (or other value). The default 1500 is the most common and you usually don’t need to change this unless otherwise instructed. Accepted values are from 100 – 1500.

This is the starting value that is used for the MTU when the IPSec tunnel is installed. It specifies the maximum IP packet length for the encapsulated AH or ESP packets sent by the router. The MTU used on the IPSec connection will be automatically adjusted based on the MTU value in any received ICMP can't fragment error messages that correspond to IPSec traffic initiated from the router. Normally the MTU only requires manual configuration if the ICMP error messages are blocked or otherwise not received by the router.

Enhanced Dead Peer Detection

Netopia Firmware Version 8.4 adds a new Dead Peer Detection mechanism.

In previous firmware versions, when Dead Peer Detection was enabled, a counter would begin in the router when any traffic was sent through the tunnel. Determination of a dead peer could take up to eight minutes.

Netopia Firmware Version 8.4 provides a new Dead Peer Detection mechanism. An IPsec IP net interface sends ICMP ping requests to a specific IP address on a Remote Member network. The ping is periodic, and the reply is expected within a certain amount of time. If the ICMP reply does not arrive within that time, the peer is considered dead, the current phase 2 SAs are torn down, and the IKE SA starts a new phase 1 negotiation, followed by the normal phase 2 negotiation, thereafter.

When you toggle Dead Peer Detection to Yes (on), new options appear.

Advanced IPsec Options

SA Lifetime seconds:

28800

SA Lifetime Kbytes:

0

Perfect Forward Secrecy:

Yes

Dead Peer Detection:

Yes

Ping host:

1.1.1.1

Ping retry interval:

5

Ping reply timeout:

90

Ping host allows you to specify the host IP address of the host to ping, and from which replies will be expected.

This field is only available if you have previously configured, and committed, remote network IP data in the Add Network Configuration screen under Advanced IP Profile Options. See “Add Network Configuration” on page 5-14.

Ping retry interval and Ping reply timeout options appear.

Page 137 Page 139
Page 138
Image 138
Netopia 3300-ENT manual Enhanced Dead Peer Detection
Page 137 Page 139