Virtual PrivateNetworks(VPN) IPsec
IX20 User Guide
505
i. Moveback one level in the schema:
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>
..
(config vpn ipsec tunnel ipsec_example ike phase2_proposal)>
ii. Add an additional proposal:
(config vpn ipsec tunnel ipsec_example ike phase2_proposal)>
add end
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 1)>
Repeat the above steps to set the type of encryption, hash, and Diffie-Hellman
group for the additional proposal.
iii. Repeat to add more phase 2proposals.
16. (Optional) Configure dead peer detection:
Dead peer detection is enabled by default. Dead peer detection usesperiodic IKEtransmissions
to the remote endpoint to detect whether tunnel communicationshave failed, allowing the
tunnel to be automatically restarted when failure occurs.
a. Change to the root of the configuration schema:
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ...
(config)>
b. To disable dead peer detection:
(config)> vpn ipsec tunnel ipsec_example dpd enable false
(config)>
c. Set the number of secondsbetween transmissionsof dead peer packets. Dead peer
packets are only sent when the tunnel isidle. The default is 60.
(config)> vpn ipsec tunnel ipsec_example dpd delay value
(config)>
d. Set the number of secondsto wait for a response from a dead peer packet before
assuming the tunnel has failed. Thedefault is 90.
(config)> vpn ipsec tunnel ipsec_example dpd timeout value
(config)>
17. (Optional) Create a list of destination networksthat require source NAT:
a. Add a destination network:
(config)> add vpn ipsec tunnel ipsec_example nat end
(config vpn ipsec tunnel ipsec_example nat 0)>
b. Set the IPv4 addressand optional netmask of a destination network that requiressource
NAT. You can also use any, meaning that any destination network connected to the tunnel
will use source NAT.
To Next Page
Loading...