Table of Contents
Advertisement
ii.
Remote Network.
iii.
IPsec Algorithms.
iv.
Encapsulation Mode.
v.
PFS/DH Group.
vi.
Setup SA Per.
9.4.8. IPsec Tunnel Monitoring
Overview
An IPsec Tunnel object has some additional properties which, together, provide a feature called
tunnel monitoring. This is used for checking the health of a tunnel and re-establishing it should a
problem be detected. When tunnel monitoring is enabled, the following happens:
•
A single external IPv4 address is specified in setting up the monitor and ICMP ping messages
are then sent once per second through the IPsec tunnel to this IP address. This happens
during the entire time the tunnel is established.
•
The source IP of these ICMP messages will be the value set for the Originator IP property of
the tunnel.
•
If a specified number of replies to consecutive ICMP ping messages are not received back, the
tunnel is assumed to be no longer operational and a new IPsec tunnel connection will be
automatically negotiated.
The tunnel monitor feature has similarities to the host monitoring described in Section 4.2.3,
"Route Failover" and shares the same underlying mechanism.
Tunnel Health Monitoring Alternatives
Tunnel monitoring is an efficient way of monitoring IPsec tunnel health but requires an external
host. However, it is preferable to using the Auto Establish option. Auto establish has the
disadvantage that it works at the IKE level and does not monitor the traffic flowing inside the
tunnel. There is no reason to use both tunnel monitoring and auto establish at the same time
and this should be avoided.
Dead peer detection (DPD) should not be disabled because tunnel monitoring is being used
(unless the external IPsec peer does not support DPD). DPD can work as a compliment to tunnel
monitoring if both are enabled.
Setting Up IPsec Tunnel Monitoring
The following steps are needed to set up monitoring for an IPsec Tunnel object:
•
Enable monitoring on the IPsec tunnel.
•
Specify a single IPv4 address as the host that should be accessible through the tunnel. The IP
address must always be part of the tunnel's remote network so no route needs to be added
for it. The host itself should be configured to respond to ICMP ping requests.
•
Optionally set the number of consecutive replies that are not received before the tunnel is
721
Chapter 9: VPN
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the NetDefendOS and is the answer not in the manual?