VPN – Advanced Settings
Advanced settings for a VPN tunnel is used when one need change some characteristics
of the tunnel when using for example trying to connect to a third party VPN Gateway.
The
different settings to set per tunnel is the following:
Limit MTU
Whit this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.
IKE Mode
Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing
outbound VPN Tunnels. Inbound main mode connections will always be allowed. Inbound
aggressive mode connections will only be allowed if this setting is set to aggressive mode.
IKE DH Group
Here it’s possible to configure the Diffie-Hellman group to 1 (modp 768-bit), 2 (modp 1024-
bit) or 5 (modp 1536-bit).
PFS – Perfect Forward Secrecy
If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is
performed for each phase-2 negotiation. While this is slower, it makes sure that no keys are
dependent on any other previously used keys; no keys are extracted from the same initial
keying material. This is to make sure that, in the unlikely event that some key was
compromised; no subsequent keys can be derived.
NAT Traversal
Here it’s possible to configure how the NAT Traversal code should behave.
Disabled
- The firewall does not send the Vendor ID's that include NAT-T support when
setting up the tunnel.
On if supported and need NAT
- Will only use NAT-T if one of the VPN gateways is
NATed.
On if supported
- Always tries to use NAT-T when setting up the tunnel.
Keepalives
No keepalives
– Keep-alive is disabled.
Automatic keepalives
- The firewall will send ICMP pings to IP Addresses automatically
discovered from the VPN Tunnel settings.
Manually configured IP addresses
- Configure the source and destination IP addresses
used when sending the ICMP pings