Справочник Пользователя для SonicWALL 5.8.1
VPN > Advanced
914
SonicOS 5.8.1 Administrator Guide
Advanced VPN Settings
•
Enable IKE Dead Peer Detection - Select if you want inactive VPN tunnels to be dropped
by the SonicWALL.
by the SonicWALL.
–
Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.”
The default value is 60 seconds.
The default value is 60 seconds.
–
Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats.
The default value is 3. If the trigger level is reached, the VPN connection is dropped by
the SonicWALL security appliance. The SonicWALL security appliance uses a UDP
packet protected by Phase 1 Encryption as the heartbeat.
The default value is 3. If the trigger level is reached, the VPN connection is dropped by
the SonicWALL security appliance. The SonicWALL security appliance uses a UDP
packet protected by Phase 1 Encryption as the heartbeat.
–
Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want
idle VPN connections to be dropped by the SonicWALL security appliance after the time
value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds)
field. The default value is 600 seconds (10 minutes).
idle VPN connections to be dropped by the SonicWALL security appliance after the time
value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds)
field. The default value is 600 seconds (10 minutes).
•
Enable Fragmented Packet Handling - If the VPN log report shows the log message
“Fragmented IPsec packet dropped”, select this feature. Do not select it until the VPN
tunnel is established and in operation.
“Fragmented IPsec packet dropped”, select this feature. Do not select it until the VPN
tunnel is established and in operation.
–
Ignore DF (Don't Fragment) Bit - Select this checkbox to ignore the DF bit in the
packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a
packet, which tells all security appliances to not fragment the packet. This option, when
enabled, causes the SonicWALL to ignore the option and fragment the packet regardless.
packet header. Some applications can explicitly set the ‘Don’t Fragment’ option in a
packet, which tells all security appliances to not fragment the packet. This option, when
enabled, causes the SonicWALL to ignore the option and fragment the packet regardless.
•
Enable NAT Traversal - Select this setting if a NAT device is located between your VPN
endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but
authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal
to work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1-
byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by
the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by
the IPsec peer.
endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but
authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal
to work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1-
byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by
the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by
the IPsec peer.
•
Clean up Active Tunnels when Peer Gateway DNS name resolves to a different IP
address - Breaks down SAs associated with old IP addresses and reconnects to the peer
gateway.
address - Breaks down SAs associated with old IP addresses and reconnects to the peer
gateway.
•
Preserve IKE Port for Pass-Through Connections - Preserves UDP 500/4500 source
port and IP address information for pass-through VPN connections.
port and IP address information for pass-through VPN connections.
•
Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate
Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to
check certificate status. See
Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to
check certificate status. See
•
Send VPN Tunnel Traps only when tunnel status changes - Reduces the number of
VPN tunnel traps that are sent by only sending traps when the tunnel status changes.
VPN tunnel traps that are sent by only sending traps when the tunnel status changes.
•
Send IKEv2 Cookie Notify - Sends cookies to IKEv2 peers as an authentication tool.
•
Use RADIUS in - When using RADUIS to authenticate VPN client users, RADIUS will be
used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this
would be so that VPN client users can make use of the MSCHAP feature to allow them to
change expired passwords at login time.
used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this
would be so that VPN client users can make use of the MSCHAP feature to allow them to
change expired passwords at login time.
Also if this is set and LDAP is selected as the Authentication method for login on the
Users > Settings page, but LDAP is not configured in a way that will allow password
updates, then password updates for VPN client users will be done using MSCHAP-mode
RADIUS after using LDAP to authenticate the user.
Users > Settings page, but LDAP is not configured in a way that will allow password
updates, then password updates for VPN client users will be done using MSCHAP-mode
RADIUS after using LDAP to authenticate the user.