Chapter 5:
Virtual Private Networking Using IPsec
|
95
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
e.
Select your Internet Interface adapter in the
Name
field.
3.
On the left-side of the menu, choose
Security Policy
.
a.
Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio
button.
b.
Check the Enable Perfect Forward Secrecy (PFS) box, and choose the
Diffie-Hellman Group 2
from the PFS Key Group drop-down list.
c.
Enable Replay Detection should be checked.
4.
Click on Authentication (Phase 1) on the left-side of the menu and choose
Proposal 1
.
Enter the Authentication values to match those in the VPN firewall ModeConfig Record
menu.
5.
Click on Key Exchange (Phase 2) on the left-side of the menu and choose
Proposal 1
.
Enter the values to match your configuration of the VPN firewall ModeConfig Record
menu. (The SA Lifetime can be longer, such as 8 hours [28800 seconds]).
6.
Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client.
Testing the Mode Config Connection
To test the connection:
1.
Right-click on the VPN client icon in the Windows toolbar and click Connect. The
connection policy you configured will appear; in this case “My
Connections\modecfg_test”.
2.
Click on the connection. Within 30 seconds the message “Successfully connected to
MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will
read “On”.
3.
From the client PC, ping a computer on the VPN firewall LAN.
Configuring Keepalives and Dead Peer Detection
In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for
example, when client-server applications over the tunnel cannot tolerate the tunnel
establishment time. If you require your VPN tunnel to remain connected, you can use the
Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force
a reconnection if the tunnel drops for any reason.
For Dead Peer Detection to function, the peer VPN device on the other end of the tunnel
must also support Dead Peer Detection. Keepalive, though less reliable than Dead Peer
Detection, does not require any support from the peer device.
Configuring Keepalives
The keepalive feature maintains the IPSec SA by sending periodic ping requests to a host
across the tunnel and monitoring the replies. To configure the keepalive on a configured VPN
policy, follow these steps:
1.
Select VPN > Policies from the menu.