Chapter 13 VPN
P-79X Series User’s Guide
144
• Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay
up before it times out. The P-79X automatically renegotiates the IPSec SA if there is traffic when
the IPSec SA lifetime period expires. The P-79X also automatically renegotiates the IPSec SA if
both IPSec routers have keep alive enabled, even if there is no traffic. If an IPSec SA times out,
then the IPSec router must renegotiate the SA the next time someone attempts to send traffic.
13.6.6 Negotiation Mode
The phase 1 Negotiation Mode you select determines how the Security Association (SA) will be
established for each connection through IKE negotiations.
• Main Mode ensures the highest level of security when the communicating parties are
negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation,
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode
features identity protection (your identity is not revealed in the negotiation).
• Aggressive Mode is quicker than Main Mode because it eliminates several steps when the
communicating parties are negotiating authentication (phase 1). However the trade-off is that
faster speed limits its negotiating power and it also does not provide identity protection. It is
useful in remote access situations where the address of the initiator is not know by the responder
and both parties want to use pre-shared key authentication.
13.6.7 Keep Alive
When you initiate an IPSec tunnel with keep alive enabled, the P-79X automatically renegotiates
the tunnel when the IPSec SA lifetime period expires (see Section 13.6.5 on page 143 for more on
the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you
initiate it. Both IPSec routers must have a P-79X-compatible keep alive feature enabled in order for
this feature to work.
If the P-79X has its maximum number of simultaneous IPSec tunnels connected to it and they all
have keep alive enabled, then no other tunnels can take a turn connecting to the P-79X because the
P-79X never drops the tunnels that are already connected.
When there is outbound traffic with no inbound traffic, the P-79X automatically drops the tunnel
after two minutes.
13.6.8 Remote DNS Server
In cases where you want to use domain names to access Intranet servers on a remote network that
has a DNS server, you must identify that DNS server. You cannot use DNS servers on the LAN or
from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the
remote network
The following figure depicts an example where three VPN tunnels are created from P-79X A; one to
branch office 2, one to branch office 3 and another to headquarters. In order to access computers
that use private domain names on the headquarters (HQ) network, the P-79X at branch office 1
uses the Intranet DNS server in headquarters. The DNS server feature for VPN does not work with
Windows 2000 or Windows XP.
To Next Page
Loading...
Need help?
General
