Chapter 8 Security
Table 60 IPSec VPN: Add (continued)
LABEL | DESCRIPTION |
SA Life Time | Type the maximum number of seconds the IKE SA can last. When this time has |
| passed, the WiMAX Device and remote IPSec router have to update the |
| encryption and authentication keys and |
| affect any existing IPSec SAs, however. |
|
|
Dead Peer | Select this check box if you want the WiMAX Device to make sure the remote |
Detection | IPSec router is there before it transmits data through the IKE SA. The remote |
(DPD) | IPSec router must support DPD. If the remote IPSec router does not respond, |
| |
| the WiMAX Device shuts down the IKE SA. |
| If the remote IPSec router does not support DPD, see if you can use the VPN |
| connection connectivity check. |
|
|
DPD Interval | Specify the time interval for the WiMAX Device to send a DPD message to the |
| remote IPSec router. |
|
|
DPD Idle Try | Specify the maximum number of times the WiMAX Device sends the DPD |
| message. |
|
|
Local Network | Local IP addresses must be static and correspond to the remote IPSec router's |
| configured remote IP addresses. |
| Two active SAs can have the same configured local or remote IP address, but not |
| both. You can configure multiple SAs between the same local and remote IP |
| addresses, as long as only one is active at any time. |
| In order to have more than one active rule with the Remote Endpoint field set |
| to 0.0.0.0, the ranges of the local IP addresses cannot overlap between rules. |
| If you configure an active rule with 0.0.0.0 in the Remote Endpoint field and |
| the LAN’s full IP address range as the local IP address, then you cannot configure |
| any other active rules with the Remote Endpoint field set to 0.0.0.0. |
|
|
Address Type | Select Single address or Subnet address to specify if the VPN connection |
| begins at an IP address or subnet. |
|
|
Start IP | If Single address is selected, enter a (static) IP address on the LAN behind your |
Address | WiMAX Device. |
| If Subnet address is selected, specify IP addresses on a network by their |
| subnet mask by entering a (static) IP address on the LAN behind your WiMAX |
| Device. Then enter the subnet mask to identify the network address. |
|
|
Subnet Mask | If Subnet address is selected, enter the subnet mask to identify the network |
| address. |
|
|
Local Port | Select how the WiMAX Device checks the connection. The peer must be |
| configured to respond to the method you select. |
| Select icmp to have the WiMAX Device regularly ping the address you specify to |
| make sure traffic can still go through the connection. You may need to configure |
| the peer to respond to pings. |
| Select tcp or udp to have the WiMAX Device regularly perform a TCP or UDP |
| handshake with the address you specify to make sure traffic can still go through |
| the connection. You may need to configure the peer to accept the TCP or UDP |
| connection. If you select tcp or udp, specify the port number to use for the |
| connectivity check. |
|
|
Remote Network | Remote IP addresses must be static and correspond to the remote IPSec router's |
| configured local IP addresses. The remote fields do not apply when the Remote |
| Endpoint field is configured to 0.0.0.0. In this case only the remote IPSec |
| router can initiate the VPN. |
| Two active SAs cannot both have the same local and remote IP address(es). Two |
| active SAs can have the same local or remote IP address, but not both. You can |
| configure multiple SAs between the same local and remote IP addresses, as long |
| as only one is active at any time. |
|
|
142 |
|
WiMAX Device Configuration User’s Guide | |
|
|