Table of Contents
Advertisement
Chapter 20 IPSec VPN
The following table describes the labels in this screen.
Table 89 VPN > IPSec VPN > Setup > Edit
LABEL
General
Enable
Connection Name
Nailed-up
NAT Traversal (NAT-
T)
Application Scenario
My Address
Primary Peer
Gateway Address
Secondary Peer
Gateway Address
Fall Back to Primary
Peer Gateway when
possible
260
DESCRIPTION
Select the checkbox to activate this VPN policy.
Enter a name to identify this VPN policy. If you are editing an existing policy, this field is
not editable.
Note: The Connection Name of an IPsec rule must be unique and cannot be changed
once it has been created.
Select this if you want the SBG3500-N to automatically renegotiate the IPSec SA when
the VPN connection is down.
This feature is only applicable if you set the Application Scenario to Site-to-Site.
When Nailed-up is enabled, you cannot disconnect the specified IPsec VPN tunnel in
the VPN > IPSec VPN > Monitor screen.
Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN
connection when there are NAT routers between the two IPSec routers.
The remote IPSec router must also have NAT traversal enabled.
You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not
with AH protocol nor with manual key management. In order for an IPSec router
behind a NAT router to receive an initiating IPSec packet, set the NAT router to forward
UDP ports 500 and 4500 to the IPSec router behind the NAT router.
Note: It is suggested to always enable the NAT Traversal (NAT-T) feature if you are not
sure if a NAT device is connected to your VPN gateway. Once this feature is
enabled, it will automatically detect connected NAT devices for you.
Select the scenario that best describes your intended VPN connection.
Site-to-Site - Choose this if the remote IPSec router has a static IP address or a
domain name. This SBG3500-N can initiate the VPN tunnel.
Site-to-Site with Dynamic Peer - Choose this if the remote IPSec router has a
dynamic IP address. Only the remote IPSec router can initiate the VPN tunnel.
Remote Access - Choose this to allow incoming connections from IPSec VPN clients.
The clients have dynamic IP addresses and are also known as dial-in users. Only the
clients can initiate the VPN tunnel.
Select an interface from the drop-down list and its IP address will be shown. The IP
address of the SBG3500-N is the IP address of the interface.
Note:
Type a primary gateway address in this field. The primary peer gateway address is
applicable (and required) when you choose Site-to-Site in the Application Scenario
field. The SBG3500-N primarily attempts to establish the VPN tunnel with this remote
address. The peer gateway address can be either an IP address or FQDN.
Type a secondary gateway address in this field. The secondary peer gateway IP address
is applicable (and optional) if you choose Site-to-Site in the Application Scenario field.
The SBG3500-N attempts to establish the VPN tunnel with this remote address if it fails
to connect to the primary peer gateway address. The secondary peer gateway address
can be either an IP address or FQDN.
When this box is checked, the SBG3500-N attempts to re-connect to the primary peer
gateway address again when it is back up. The SBG3500-N will use secondary gateway
address when the primary address is down. The VPN connection is briefly lost when
SBG3500-N tries to reconnect using the primary address. Note that the peer devices
using the secondary address cannot use a nailed-up VPN connecton setting.
SBG3500-N000 User's Guide
Advertisement
Table of Contents
Troubleshooting
