Sa Life Time; Ipsec High Availability - ZyXEL Communications ZyWALL 2Plus User Manual
Internet security appliance
Hide thumbs
Also See for ZyWALL 2Plus:
- User manual (686 pages) ,
- Quick start manual (137 pages) ,
- Firmware release notes (43 pages)
Table of Contents
Advertisement
11.1.4.4 SA Life Time
One characteristic of SAs is the SA life time. The SA lifetime specifies how long the SA lasts
until it times out. When an SA times out, the ZyWALL automatically renegotiates the SA in
the following situations:
• there is traffic when the SA life time expires
• the IPSec SA is configured on the ZyWALL as nailed up (see below)
Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send
traffic.
Note: If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays
connected.
An IPSec SA can also be set to nailed up. Normally, the ZyWALL drops the IPSec SA when
the life time expires or after two minutes of outbound traffic with no inbound traffic. If you set
the IPSec SA to nailed up, the ZyWALL automatically renegotiates the IPSec SA when the SA
life time expires, and it does not drop the IPSec SA if there is no inbound traffic.
Note: The SA life time and nailed up settings only apply if the rule identifies the
remote IPSec router by a static IP address or a domain name. If the Remote
Gateway Address field is set to 0.0.0.0, the ZyWALL cannot initiate the tunnel
(and cannot renegotiate the SA).
11.1.4.5 IPSec High Availability
IPSec high availability (IPSec HA or VPN HA) allows you to use a redundant (backup) VPN
connection to another WAN interface on the remote IPSec router if the primary (regular) VPN
connection goes down.
When setting up a IPSec high availability VPN tunnel, the remote IPSec router:
• must have multiple WAN connections
• only needs the configure one corresponding IPSec rule
• should not have IPSec high availability settings in its corresponding IPSec rule
• should ideally identify itself by a domain name (or dynamic domain name).
• must not have the My IP Address field set to a specific IP address (use a domain name,
dynamic domain name or 0.0.0.0).
• should use a WAN connectivity check to this ZyWALL's WAN IP address
If the remote IPSec router is not a ZyWALL, you may also want to avoid setting the IPSec rule
to nailed up.
In the following figure, if primary VPN tunnel A goes down, the ZyWALL uses the redundant
VPN tunnel (B).
Chapter 11 IPSec VPN
ZyWALL 2 Plus User's Guide
191
Advertisement
Table of Contents
Troubleshooting
