Netopia 4000-Series manual Enhanced Dead Peer Detection

5-12 Firmware User Guide

Advanced IPsec Options

This screen allows you to specify the lifetime associated with each IPsec Security Association (SA) and control when the SA will expire and become invalid.

■SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 28,800 seconds (1 hour). The value zero specifies the absence of an elapsed time lifetime.

■SA Lifetime (Kilobytes) specifies the maximum number of kilobytes of data that may be secured (encrypted/decrypted or authenticated) using the SA before it expires and becomes invalid. The range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default value is 0 Kilobytes. The value zero specifies the absence of a secured data lifetime.

Note: It is invalid to set both lifetime values to zero! This condition is not enforced by the console (in order to avoid order dependencies when configuring the items), but rather is enforced at runtime and will cause the IPsec profile to assume the defaults.

■Perfect Forward Secrecy toggles whether or not Perfect Forward Secrecy will be used. Enabling Perfect Forward Secrecy (the default) causes IKE to perform a new Diffie-Hellman exchange with each Phase 2 re-key. Because the additional Diffie-Hellman exchanges required for Perfect Forward Secrecy introduce additional overhead, it may be good to disable Perfect Forward Secrecy when security does not require it.

■Dead Peer Detection toggles whether or not the router will detect a remote peer being offline.

Enhanced Dead Peer Detection

Netopia Firmware Version 5.4 adds a new Dead Peer Detection mechanism.

In previous firmware versions, when Dead Peer Detection was enabled, a counter would begin in the router when any traffic was sent through the tunnel. Determination of a dead peer could take up to eight minutes.