Prestige 334 User’s Guide

The following table describes the labels in this screen.

Table 52 VPN IKE: Advanced

LABEL

DESCRIPTION

 

 

Active

Select this check box to activate this VPN policy.

 

 

Keep Alive

Select this check box to turn on the Keep Alive feature for this SA.

 

Turn on Keep Alive to have the Prestige automatically reinitiate the SA after

 

the SA lifetime times out, even if there is no traffic. The remote IPSec router

 

must also have keep alive enabled in order for this feature to work.

NAT Traversal

Select this check box to enable NAT traversal. NAT traversal allows you to set

 

up a VPN connection when there are NAT routers between the two IPSec

 

routers.

 

The remote IPSec router must also have NAT traversal enabled.

 

You can use NAT traversal with ESP protocol using Transport or Tunnel

 

mode, but not with AH protocol nor with manual key management. In order for

 

an IPSec router behind a NAT router to receive an initiating IPSec packet, set

 

the NAT router to forward UDP port 500 to the IPSec router behind the NAT

 

router.

IPSec Keying Mode

The advanced configuration page is only available with the IKE IPSec keying

 

mode.

 

Click the Basic button below in order to be able to choose the Manual IPSec

 

keying mode.

 

Make sure the remote gateway has the same configuration in this field.

 

 

Protocol Number

Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any

 

protocol.

Enable Replay

As a VPN setup is processing intensive, the system is vulnerable to Denial of

Detection

Service (DOS) attacks The IPSec receiver can detect and reject old or

 

duplicate packets to protect against replay attacks. Enable replay detection by

 

setting this field to Yes.

Local Address

The local IP address must be static and correspond to the remote IPSec

 

router's configured remote IP addresses.

 

Two active SAs can have the same local or remote IP address, but not both.

 

You can configure multiple SAs between the same local and remote IP

 

addresses, as long as only one is active at any time.

Local Port Start

0 is the default and signifies any port. Type a port number from 0 to 65535.

 

Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80,

 

HTTP; 25, SMTP; 110, POP3

Local Port End

Enter a port number in this field to define a port range. This port number must

 

be greater than that specified in the previous field (or equal to it for configuring

 

an individual port).

Remote Address Start

Remote IP addresses must be static and correspond to the remote IPSec

 

router's configured local IP addresses. The remote address fields do not apply

 

when the Secure Gateway Address field is configured to 0.0.0.0. In this case

 

only the remote IPSec router can initiate the VPN.

 

Two active SAs cannot have the local and remote IP address(es) both the

 

same. Two active SAs can have the same local or remote IP address, but not

 

both. You can configure multiple SAs between the same local and remote IP

 

addresses, as long as only one is active at any time.

 

Enter a (static) IP address on the network behind the remote IPSec router.

 

 

171

Chapter 15 VPN Screens