Table of Contents
Advertisement
Negotiation State reports what stage of the negotiation process the tunnel is in. In this
example it has initiated and sent the first aggressive mode packet (AI1) and is expecting
its response (AR1) in the line STATE_AGGR_I1 (sent AI1, expecting AR1). Once the
Phase 1 has been successfully negotiated, the status displays ISAKMP SA established.
Once the Phase 2 has been successfully negotiated, the status displays IPSec SA
established. The tunnel is then established and running.
NAT Traversal Support
NAT Traversal allows tunnels to be established when the IPSec endpoints reside behind
NAT devices. If any NAT devices are detected, the NAT Traversal feature is
automatically used. It cannot be configured manually on the SnapGear unit.
Dynamic DNS Support
Internet Service Providers generally charge higher fees for static IP addresses than for
dynamic IP addresses when connecting to the Internet. The SnapGear unit can reduce
costs since it allows tunnels to be established with both IPSec endpoints having dynamic
IP addresses. The two endpoints must, however, be SnapGear units and at least one
end must have dynamic DNS enabled. The SnapGear unit supports a number of
dynamic DNS providers. When configuring the tunnel, select the DNS hostname
address type for the IPSec endpoint that has dynamic DNS supported and enable Dead
Peer Detection. If the IP address of the SnapGear unit's DNS hostname changes, the
tunnel automatically renegotiates and establishes the tunnel.
Certificate Management
x.509 certificates can be used to authenticate IPSec endpoints during tunnel negotiation
for Automatic Keying. The other methods are Preshared Secrets and RSA Digital
Signatures.
Certificates need to be uploaded to the SnapGear unit before they can be used in a
tunnel. Certificates have time durations in which they are valid. Ensure that the
certificates uploaded are valid and that the Date and Time settings have been set
correctly on the SnapGear unit.
The SnapGear unit only supports certificates in base64 PEM or binary DER format.
Some certificate authorities (CA) distribute certificates in a PKCS12 format file. This
format combines the CA certificate, local public certificate and local private key certificate
into one file. These certificates must be extracted before uploading them to the
SnapGear unit; see Extracting certificates further on.
Virtual Private Networking
233
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
