Section 3: Policy Setup (continued)
IPSec Policy Options
The IPSec Policy Options console consists of three sections: Tunnel Attributes, Dead Peer Detection Feature, and Options. The console allows you to set tunnel attributes for each tunnel. In order for these options to operate they must be enabled on both the remote and the local side. NetBIOS and Auto Trigger are enabled by default.
NOTE: When you make changes to this menu you must click the Set button and then the Update button on the Policy Setup to save your settings.
Tunnel Attributes
This section displays various tunnel attributes configured for the tunnel as well as the status of the VPN tunnel. Use this to aid you in the configuration of the tunnel options.
| Dead Peer Detection Feature |
Figure 18-e. Dead Peer Detection Console. |
is a countermeasure designed to prevent wasted bandwidth and CPU cycles in the event that the remote side VPN tunnel is terminated. Instead of sending data and waiting for a response, the link is actively monitored. If it ever goes down, the link will be handled by the set user preference. By default this feature is disabled.
Not all VPN Gateways have this feature. If you are connecting to a non-XiNCOM VPN gateway it is recommended that you keep this feature off. Otherwise, frequent disconnects may result because the remote side (non-XiNCOM VPN) will not reply.
The is also a main component of VPN failover. When it is enabled, the Twin WAN Gateway will send packets to the remote VPN gateway to verify that the tunnel is still connected. When a dropped tunnel is detected the XiNCOM will change the logical state of that tunnel to Idle.
Dead Peer Detection Feature - Settings
This check box will enable Dead Peer Detection and you will be able to set options.
Select a method of verification: ICMP, Heartbeat, or Keep Alive
When no traffic is passed through the VPN tunnel for this amount of time, the TWR VPN Gateway will attempt to send a Detection packet.
This is the amount of times the XiNCOM VPN Gateway will attempt to send the packet before the Check After Idle time is expired.
These options instructs the router on what action to take if a dead tunnel is discovered. It can ignore the dead tunnel, disconnect the dead tunnel or attempt to keep it alive.
This check box simply enables the Logging function for DPD (Dead Peer Detection). If this feature is enabled all actions of DPD will show up in the VPN Log.
| Options |
Figure 18-b. Policy Setup - Options Sub-Console. |
The section allows you to set options for handling the VPN tunnel. These options must be set on both the local and the remote side in order to properly function. Failure to do so may result in dropped or corrupted packets.
The Options sub-console screen is located in Policy Setup>Actions>Set Options.
Options - Settings
This option is used to forward NetBIOS packets across the Internet from the remote side to local side and vice versa. When enabled, the remote side computer can be reached by a host name.
When enabled, the Twin WAN Gateway will attempt to connect to the remote gateway without any user input.
The Anti Replay mechanism works by keeping track of the sequence numbers in packets as they arrive. This ensures the IP level security is in order.
When enabled, the logical tunnel state will remain idle until an attempt is made to connect to the remote side. This setting will override the Auto Triggered option.
When enabled, the Twin WAN VPN gateway will check the ESP (Encapsulating Security Payload) padding of each packet. ESP is a key protocol in the IPsec (Internet Security) architecture, which is designed to provide a mix of security services in IPv4 and IPv6. (Refer to the RFC 2406 documentation for more information)
When enabled, this option will allow full Explicit Congestion Notification (ECN). ECN is a standard proposed by the IETF that minimizes congestion on a network and preventing the gateway from dropping data packets.
When an IP packet is encapsulated as payload inside another IP packet, some of the outer header fields can be newly written and others are determined by the inner header. Among these fields is the IP DF (Do not fragment) flag. When the inner packet DF flag is clear, the outer packet may copy it or set it. However, when the inner DF flag is set, the outer header MUST copy it.
If the DF (Do not Fragment) flag is set, it means the fragmentation of this packet at the IP level is not permitted.
