Siemens SINAUT MD741-1 System Manual page 74

VPN connection
Note:
When the authentication method Pre-Shared Key is used, Aggressive mode must
be set in Roadwarrior mode.
ISAKMP-SA lifetime, IPsec-SA lifetime
The keys for an IPsec connection are renewed at certain intervals in order to
increase the effort required to attack an IPsec connection.
Specify the lifetime (in seconds) of the keys agreed on for the ISAKMP-SA and
IPsec-SA.
The lifetime can be defined differently for ISAKMP-SA and IPsec-SA.
NAT-T
There may be a NAT router between the SINAUT MD741-1 and the VPN gateway
of the remote network. Not all NAT routers allow IPsec data packets to go through.
It may therefore be necessary to encapsulate the IPsec data packets in UDP
packets so that they can go through the NAT router.
On:
If the SINAUT MD741-1 detects a NAT router that does not let the IPsec data
packets through, then UDP encapsulation is started automatically.
Force:
During negotiation of the connection parameters for the VPN connection,
encapsulated transmission of the data packets during the connection is insisted
upon.
Off:
The NAT-T function is switched off.
Enable dead peer detection
If the remote station supports the dead peer detection (DPD) protocol, then the
partner in question can detect whether the IPsec connection is still valid or not,
meaning that it may have to be re-established. Without DPD, depending on the
configuration it may be necessary to wait until the SA lifetime elapses or the
connection has to be re-initiated manually. To check whether the IPsec connection
is still valid, the dead peer detection sends DPD requests to the remote station
itself. If there is no answer, then after the permitted number of failed attempts the
IPsec connection is considered to be interrupted.
Yes
74
SINAUT MD741-1
C79000- G8976-C212