Table of Contents
Advertisement
About NAT traversal
NAT (Network Address Translation) converts private IP addresses into routable public IP addresses. The
DFL-500 NPG uses NAPT (Network Address Port Translation), in which both IP addresses and ports are
mapped. Mapping both components allows multiple private IP addresses to use a single public IP address.
Because a NAT device modifies the original IP address of an IPSec packet, the packet fails an integrity check.
This failure means that IPSec VPN does not work with NAT devices.
NAT traversal solves this problem by encapsulating the IPSec packet within a UDP packet. Encapsulating the
IPSec packet allows NAT to process the packet without changing the original IPSec packet.
Both ends of a gateway must have the same NAT traversal setting. Each end can have different keepalive
frequencies.
Adding an AutoIKE key VPN tunnel
Add an AutoIKE key tunnel to specify the parameters used to create and maintain a VPN tunnel that has been
started by a remote gateway configuration.
To add an AutoIKE key VPN tunnel:
•
Go to VPN > IPSEC > AutoIKE Key .
•
Select New to add a new AutoIKE key VPN tunnel.
•
Configure the AutoIKE key VPN tunnel.
Tunnel Name
Remote Gateway
P2 Proposal
Enable replay
detection
Enable perfect
forward secrecy
(PFS)
DH Group
Keylife
DFL-500 User Manual
Enter a name for the tunnel. The name can contain numbers (0-9), uppercase and
lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and
spaces are not allowed.
Select a STATIC or a DIALUP remote gateway to associate with the VPN tunnel.
Select a static remote gateway if you are configuring IPSec redundancy. See
IPSec
redundancy.
If you select a static gateway, you can select up to three remote gateways. To decrease the
number of remote gateways, select the minus sign. To increase the number of remote
gateways, select the plus sign.
Select up to three encryption and authentication algorithm combinations to propose for
phase 2. Two are selected by default. To decrease the number of combinations selected,
select the minus sign. To increase the number of combinations selected, select the plus
sign. See
About the P2
proposal.
Select Enable replay detection to prevent IPSec replay attacks during phase 2. See
replay
detection.
Select Enable perfect forward secrecy (PFS) to improve the security of phase 2 keys. See
About perfect forward secrecy
Select the Diffie-Hellman group to propose for phase 2 of the IPSec VPN connection. You
can select one DH group. Select 1, 2, or 5. See
Specify the keylife for phase 2. The keylife causes the phase 2 key to expire after a specified
amount of time, after a specified number of kbytes of data have been processed by the VPN
tunnel, or both. If you select both, the key does not expire until both the time has passed and
the number of kbytes have been processed.
When the key expires, a new key is generated without interrupting service. P2 proposal
keylife can be from 120 to 172800 seconds or from 5120 to 99999 kbytes.
(PFS).
About DH
Configuring
groups.
About
57
Advertisement
Table of Contents
