Prestige 334 User’s Guide
The following table describes the labels in this screen.
Table 52 VPN IKE: Advanced
LABEL | DESCRIPTION |
|
|
Active | Select this check box to activate this VPN policy. |
|
|
Keep Alive | Select this check box to turn on the Keep Alive feature for this SA. |
| Turn on Keep Alive to have the Prestige automatically reinitiate the SA after |
| the SA lifetime times out, even if there is no traffic. The remote IPSec router |
| must also have keep alive enabled in order for this feature to work. |
NAT Traversal | Select this check box to enable NAT traversal. NAT traversal allows you to set |
| up a VPN connection when there are NAT routers between the two IPSec |
| routers. |
| The remote IPSec router must also have NAT traversal enabled. |
| You can use NAT traversal with ESP protocol using Transport or Tunnel |
| mode, but not with AH protocol nor with manual key management. In order for |
| an IPSec router behind a NAT router to receive an initiating IPSec packet, set |
| the NAT router to forward UDP port 500 to the IPSec router behind the NAT |
| router. |
IPSec Keying Mode | The advanced configuration page is only available with the IKE IPSec keying |
| mode. |
| Click the Basic button below in order to be able to choose the Manual IPSec |
| keying mode. |
| Make sure the remote gateway has the same configuration in this field. |
|
|
Protocol Number | Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any |
| protocol. |
Enable Replay | As a VPN setup is processing intensive, the system is vulnerable to Denial of |
Detection | Service (DOS) attacks The IPSec receiver can detect and reject old or |
| duplicate packets to protect against replay attacks. Enable replay detection by |
| setting this field to Yes. |
Local Address | The local IP address must be static and correspond to the remote IPSec |
| router's configured remote IP addresses. |
| Two active SAs can have the same local or remote IP address, but not both. |
| You can configure multiple SAs between the same local and remote IP |
| addresses, as long as only one is active at any time. |
Local Port Start | 0 is the default and signifies any port. Type a port number from 0 to 65535. |
| Some of the most common IP ports are: 21, FTP; 53, DNS; 23, Telnet; 80, |
| HTTP; 25, SMTP; 110, POP3 |
Local Port End | Enter a port number in this field to define a port range. This port number must |
| be greater than that specified in the previous field (or equal to it for configuring |
| an individual port). |
Remote Address Start | Remote IP addresses must be static and correspond to the remote IPSec |
| router's configured local IP addresses. The remote address fields do not apply |
| when the Secure Gateway Address field is configured to 0.0.0.0. In this case |
| only the remote IPSec router can initiate the VPN. |
| Two active SAs cannot have the local and remote IP address(es) both the |
| same. Two active SAs can have the same local or remote IP address, but not |
| both. You can configure multiple SAs between the same local and remote IP |
| addresses, as long as only one is active at any time. |
| Enter a (static) IP address on the network behind the remote IPSec router. |
|
|
171 | Chapter 15 VPN Screens |