Prestige 662H/HW Series User’s Guide
LABEL | DESCRIPTION |
|
|
IPSec Setup |
|
|
|
Active | Select this check box to activate this VPN policy. This option determines whether |
| a VPN rule is applied before a packet leaves the firewall. |
Keep Alive | Select either Yes or No from the |
| Select Yes to have the Prestige automatically reinitiate the SA after the SA lifetime |
| times out, even if there is no traffic. The remote IPSec router must also have keep |
| alive enabled in order for this feature to work. |
NAT Traversal | Select this check box to enable NAT traversal. NAT traversal allows you to set up |
| a VPN connection when there are NAT routers between the two IPSec routers. |
| The remote IPSec router must also have NAT traversal enabled. |
| You can use NAT traversal with ESP protocol using Transport or Tunnel mode, |
| but not with AH protocol nor with manual key management. In order for an IPSec |
| router behind a NAT router to receive an initiating IPSec packet, set the NAT |
| router to forward UDP port 500 to the IPSec router behind the NAT router. |
Name | Type up to 32 characters to identify this VPN policy. You may use any character, |
| including spaces, but the Prestige drops trailing spaces. |
IPSec Key Mode | Select IKE or Manual from the |
| so it is generally recommended. Manual is a useful option for troubleshooting if |
| you have problems using IKE key management. |
Negotiation Mode | Select Main or Aggressive from the |
| through a secure gateway must have the same negotiation mode. |
Encapsulation | Select Tunnel mode or Transport mode from the |
Mode |
|
DNS Server (for | If there is a private DNS server that services the VPN, type its IP address here. |
IPSec VPN) | The Prestige assigns this additional DNS server to the Prestige's DHCP clients |
| that have IP addresses in this IPSec rule's range of local addresses. |
| A DNS server allows clients on the VPN to find other computers and servers on |
| the VPN by their (private) domain names. |
Local | Local IP addresses must be static and correspond to the remote IPSec router's |
| configured remote IP addresses. |
| Two active SAs can have the same configured local or remote IP address, but not |
| both. You can configure multiple SAs between the same local and remote IP |
| addresses, as long as only one is active at any time. |
| In order to have more than one active rule with the Secure Gateway Address |
| field set to 0.0.0.0, the ranges of the local IP addresses cannot overlap between |
| rules. |
| If you configure an active rule with 0.0.0.0 in the Secure Gateway Address field |
| and the LAN’s full IP address range as the local IP address, then you cannot |
| configure any other active rules with the Secure Gateway Address field set to |
| 0.0.0.0. |
Local Address Type | Use the |
| a single IP address. Select Range for a specific range of IP addresses. Select |
| Subnet to specify IP addresses on a network by their subnet mask. |
IP Address Start | When the Local Address Type field is configured to Single, enter a (static) IP |
| address on the LAN behind your Prestige. When the Local Address Type field is |
| configured to Range, enter the beginning (static) IP address, in a range of |
| computers on your LAN behind your Prestige. When the Local Address Type |
| field is configured to Subnet, this is a (static) IP address on the LAN behind your |
| Prestige. |
Chapter 19 VPN Screens | 228 |