Prestige 334 User’s Guide
15.6 Keep Alive
When you initiate an IPSec tunnel with keep alive enabled, the Prestige automatically renegotiates the tunnel when the IPSec SA lifetime period expires ( the IPSec Algorithms section for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you initiate it. Both IPSec routers must have a
If the Prestige has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the Prestige because the Prestige never drops the tunnels that are already connected.
Note: When there is outbound traffic with no inbound traffic, the
Prestige automatically drops the tunnel after two minutes.
15.7 NAT Traversal
NAT traversal allows you to set up a VPN connection when there are NAT routers between IPSec routers A and B.
Figure 61 NAT Router Between IPSec Routers
Normally you cannot set up a VPN connection with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. In the previous figure, IPSec router A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes the IPSec packet’s header so it does not match the header for which IPSec router B is checking. Therefore, IPSec router B does not respond and the VPN connection cannot be built.
NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NAT router forwards the IPSec packet with the UDP port 500 header unchanged. IPSec router B checks the UDP port 500 header and responds. IPSec routers A and B build a VPN connection.
15.7.1 NAT Traversal Configuration
For NAT traversal to work you must:
•Use ESP security protocol (in either transport or tunnel mode).
•Use IKE keying mode.
Chapter 15 VPN Screens | 160 |