How A Tunnel Is Initiated; Tunnel Validity; Dial-Up Environments And Tunnel Validity - Nortel BayStack Instant Internet 100-S Using Manual
Nortel baystack 100-s: user guide
Hide thumbs
Also See for BayStack Instant Internet 100-S:
- Install manual (104 pages) ,
- Reference (98 pages) ,
- User manual (80 pages)
Table of Contents
Advertisement
186
Chapter 6 IP security and VPN
How a tunnel is initiated
Neither the Instant Internet unit nor the CES can manually initiate a branch office
connection. To initiate a VPN tunnel, some activity must be performed to initiate a
tunnel connection. Some ways that a tunnel may be initiated include: using a ping
or browsing to a site that uses the tunnel. For example, a host on one LAN could
ping a host on another LAN where the packet is expected to travel through a
configured VPN tunnel.
Tunnel validity
Currently, the IPsec protocol does not provide a "keep-alive" mechanism as part
of its standard. If one endpoint of a tunnel disconnects without the knowledge of
the other (for example, if the server on one end is rebooted), the remaining "live"
endpoint still attempts to send traffic through the tunnel. In this situation, the
tunnel status may appear to be valid to the live endpoint, but communications are
not possible. However, after the disconnected endpoint (the end that was
rebooted) initiates a new tunnel as warranted by traffic, the tunnel is reestablished
and operates properly.
Instant Internet provides a Ping utility as a "keep-alive" mechanism in order to
circumvent the problems associated with losing one end of a tunnel. For more
information refer to
Dial-up environments and tunnel validity
In a dial-up or equivalent (analog, ISDN, PPPoE) environment, the Internet
connection may not exist at all times which can cause a problem when a tunnel is
no longer valid. A tunnel connection is completely independent of the dial-up
connection to the Internet and remains valid and expires as configured regardless
of whether or not the dial-up connection is active. Because static IP addressing is
required for a VPN, this is of little consequence because as soon as the connection
is reestablished, the tunnel traffic can continue.
If, however, the dial-up connection is interrupted (inadvertently or intentionally
due to an idle timeout), and the gateway at one endpoint of the tunnel informs the
other endpoint that the tunnel is to be deleted, this information cannot reach the
remote gateway and it will not know that the tunnel is no longer valid. After the
dial-up connection is re-established, it continues to attempt to use this now invalid
tunnel (as described above regarding one endpoint disconnecting).
300868-G
"Using Pings" on page
173.
Advertisement
Table of Contents
Troubleshooting
