Table of Contents
Advertisement
Table 78 VPN Setup
LABEL
Modify
Back
13.6 Keep Alive
When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically
renegotiates the tunnel when the IPSec SA lifetime period expires (see
216
for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an "always on"
connection after you initiate it. Both IPSec routers must have a ZyXEL Device-compatible
keep alive feature enabled in order for this feature to work.
If the ZyXEL Device has its maximum number of simultaneous IPSec tunnels connected to it
and they all have keep alive enabled, then no other tunnels can take a turn connecting to the
ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected.
When there is outbound traffic with no inbound traffic, the ZyXEL Device automatically
drops the tunnel after two minutes.
13.7 VPN, NAT, and NAT Traversal
NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN
using the AH protocol digitally signs the outbound packet, both data payload and headers,
with a hash value appended to the packet, but a NAT device between the IPSec endpoints
rewrites the source or destination address. As a result, the VPN device at the receiving end
finds a mismatch between the hash value and the data and assumes that the data has been
maliciously altered.
NAT is not normally compatible with ESP in transport mode either, but the ZyXEL Device's
NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an
IKE SA when there are NAT routers between the two IPSec routers.
Chapter 13 VPN Screens
DESCRIPTION
Click the Edit icon to go to the screen where you can edit the VPN configuration.
Click the Remove icon to remove an existing VPN configuration.
Click Back to return to the previous screen.
P-661H/HW Series User's Guide
Section 13.12 on page
207
Advertisement
Table of Contents
Troubleshooting
