1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 54
Page 266 / 469 Scroll up to view Page 261 - 265
Virtual Private Networking Using IPSec
and
L2TP Connections
266
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being
disconnected and to force a reconnection if the tunnel disconnects for any reason.
For DPD to function, the peer VPN device on the other end of the tunnel also needs to
support DPD. Keep-alive, though less reliable than DPD, does not require any support from
the peer device.
Configure Keep-Alives
The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host
across the tunnel and monitoring the replies.
To configure the keep-alive feature on a configured VPN policy:
1.
Select
VPN > IPSec VPN > VPN Policies
.
The VPN Policies screen displays the IPv4
settings (see
Figure
160
on page
239).
2.
Specify the IP version for which you want to edit a VPN policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
IPv6
. Select the
IPv6
radio button. The VPN Policies screen for IPv6 displays.
3.
In the List of VPN Policies table, click the
Edit
table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. (The following figure shows only the
top part with the General section of the Edit VPN Policy screen for IPv6.)
Figure 176.
Page 267 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
267
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
4.
Enter the settings as described in the following table:
5.
Click
Apply
to save your settings.
Configure Dead Peer Detection
The Dead Peer Detection (DPD) feature lets the VPN firewall maintain the IKE SA by
exchanging periodic messages with the remote VPN peer.
To configure DPD on a configured IKE policy:
1.
Select
VPN > IPSec VPN
. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see
Figure
158
on page
232).
2.
Specify the IP version for which you want to edit an IKE policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
IPv6
. Select the
IPv6
radio button. The IKE Policies screen for IPv6 displays.
3.
In the List of IKE Policies table, click the
Edit
table button to the right of the IKE policy that
you want to edit. The Edit IKE Policy screen displays. (The following figure shows only the
IKE SA Parameters section of the screen).
Table 64.
Keep-alive settings
Setting
Description
General
Enable Keepalive
Select the
Yes
radio button to enable the keep-alive feature. Periodically, the
VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to
keep the tunnel alive. You need to specify the ping IP address in the Ping IP
Address field, the detection period in the Detection Period field, and the
maximum number of keep-alive requests that the VPN firewall sends in the
Reconnect after failure count field.
Ping IP Address
The IP address that the VPN firewall pings. The address
should be of a host that can respond to ICMP ping requests.
Detection Period
The period in seconds between the keep-alive requests. The
default setting is 10 seconds.
Reconnect after
failure count
The maximum number of keep-alive requests before the VPN
firewall tears down the connection and then attempts to
reconnect to the remote endpoint. The default setting is
3
keep-alive requests.
Page 268 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
268
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 177.
4.
In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the
settings as described the following table:
5.
Click
Apply
to save your settings.
Configure NetBIOS Bridging with IPSec VPN
Windows networks use the Network Basic Input/Output System (NetBIOS) for several basic
network services such as naming and neighborhood device discovery. Because VPN routers
do not usually pass NetBIOS traffic, these network services do not function for hosts on
opposite ends of a VPN connection. To solve this problem, you can configure the VPN
firewall to bridge NetBIOS traffic over the VPN tunnel.
To enable NetBIOS bridging on a configured VPN tunnel:
1.
Select
VPN > IPSec VPN > VPN Policies
.
The VPN Policies screen displays (see
Figure
160
on page
239).
Table 65.
Dead Peer Detection settings
Setting
Description
IKE SA Parameters
Enable Dead Peer
Detection
Select the
Yes
radio button to enable DPD. When the VPN firewall detects an
IKE connection failure, it deletes the IPSec and IKE SA and forces a
reestablishment of the connection. You need to specify the detection period in
the Detection Period field and the maximum number of times that the VPN
firewall attempts to reconnect in the Reconnect after failure count field.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle. The default setting is 10 seconds.
Reconnect after
failure count
The maximum number of DPD failures before the VPN
firewall tears down the connection and then attempts to
reconnect to the peer. The default setting is 3 failures.
Page 269 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
269
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
2.
Specify the IP version for which you want to edit a VPN policy:
IPv4
. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to
Step
3
.
IPv6
. Select the
IPv6
radio button. The VPN Policies screen for IPv6 displays.
3.
In the List of VPN Policies table, click the
Edit
table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. (The following figure shows only the
top part with the General section of the Edit VPN Policy screen for IPv6.)
Figure 178.
4.
Select the
Enable NetBIOS?
check box.
5.
Click
Apply
to save your settings.
Configure the PPTP Server
As an alternate solution to IPSec VPN and L2TP tunnels, you can configure a Point-to-Point
Tunnel Protocol (PPTP) server on the VPN firewall to allow users to access PPTP clients
over PPTP tunnels. A maximum of 25 simultaneous PPTP user sessions are supported. (The
very first IP address of the PPTP address pool is used for distribution to the VPN firewall.)
A PPTP user typically initiates a tunnel request; the PPTP server accommodates the tunnel
request and assigns an IP address to the user. After a PPTP tunnel is established, the user
can connect to a PPTP client that is located behind the VPN firewall.
You need to enable the PPTP server on the VPN firewall, specify a PPTP server address
pool, and create PPTP user accounts. (PPTP users are authenticated through local
authentication with geardomain.) For information about how to create PPTP user accounts,
see
Configure User Accounts
on page
310.
Page 270 / 469
Virtual Private Networking Using IPSec
and
L2TP Connections
270
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
To enable the PPTP server and configure the PPTP server pool, authentication, and
encryption:
1.
Select
VPN > PPTP Server
.
The PPTP Server screen displays. (The following figure
contains an example.)
Figure 179.
2.
Enter the settings as described in the following table:
Table 66.
PPTP Server screen settings
Setting
Description
PPTP Server
Enable
To enable the PPTP server, select the
Enable
check box.
Start IP Address
Type the first IP address of the address pool.
End IP Address
Type the last IP address of the address pool. A maximum of 26 contiguous
addresses can be part of the pool. (The first address of the pool cannot be
assigned to a user.)
User time out
Enter the time-out period in seconds, from 0 to 999 seconds. The default is
0
seconds. If there is no traffic from a user, the connection is disconnected after
the specified period.
Authentication
Select one or more of the following authentication methods to authenticate PPTP users:
PAP
. RADIUS-Password Authentication Protocol (PAP).
CHAP
. RADIUS-Challenge Handshake Authentication Protocol (CHAP).
MSCHAP
. RADIUS-Microsoft CHAP (MSCHAP).
MSCHAPv2
. RADIUS-Microsoft CHAP version 2 (MSCHAPv2).

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top