D-Link NetDefendOS User Manual page 703

With IPsec tunnels, the administrator usually sets up IPsec rules that allow unencrypted traffic to
flow into the tunnel (the tunnel being treated as an NetDefendOS interface). However, it is
normally not necessary to set up IP rules that explicitly allow the packets that implement IPsec
itself.
IKE and ESP packets are, by default, dealt with by the NetDefendOS's internal IPsec engine and the
IP rule set is not consulted.
This behavior can be changed in the IPsec advanced settings section with the IPsec Before
Rules setting. An example of why this might be done is if there are a high number of IPsec tunnel
connection attempts coming from a particular IP address or group of addresses. This can
degrade the performance of the NetDefendOS IPsec engine and explicitly dropping such traffic
with an IP rule is an efficient way of preventing it reaching the engine. In other words, IP rules
can be used for complete control over all traffic related to the tunnel.
Auto Establish
By default, LAN-to-LAN IPsec tunnels are established only at the time that traffic tries to flow
through them. By enabling the IPsec tunnel property Auto Establish, LAN-to-LAN tunnels are
established without any traffic flowing. This is useful in the following situations:
• With LAN-to_LAN tunnels only (IKEv1 or IKEv2). It cannot be used with roaming clients.
• With route failover, a tunnel for the alternate route is always established.
• After a reconfigure operation is performed on NetDefendOS, the tunnels are immediately
reestablished without waiting for any traffic to flow.
Assuming two IPsec tunnel endpoint A and B, it is recommended that auto establish is enabled
on B only when both of the following criteria are true:
• A cannot initiate an IKE negotiation to B. The reasons why it cannot be the initiator might be
any of the following:
• B is behind a NATing device.
• A is using DNS to get the IP address of B.
• B receives its IP address via DHCP.
• The administrator decides that A must be able to initiate UDP/TCP connections through the
tunnel without B having sent any packets. For example, there might be a server located
behind B which clients located behind A need to reach.
Monitoring Tunnel Health
The following methods are available with both IKEv1 and IKEv2 for monitoring IPsec tunnel
health and re-establishing the tunnel if a problem is detected:
• Dead Peer Detection
Dead Peer Detection (DPD) is used to monitor IPsec tunnel health. It can optionally be enabled
for a tunnel and it is recommended to always have it enabled (the default) unless the external
IPsec peer does not support it. With roaming IPsec clients, DPD is the only option for
monitoring tunnel health.
DPD monitors the aliveness of the tunnel by looking for traffic coming from the external peer
at the other end of the tunnel. If no message is seen within a specified length of time
703
Chapter 9: VPN