beautypg.com

Fortinet FortiGate 100 User Manual

Page 188

background image

188

Fortinet Inc.

Adding a phase 1 configuration for an AutoIKE VPN

IPSec VPN

4

Optionally, configure NAT Traversal.

5

Optionally, configure Dead Peer Detection.
Use these settings to monitor the status of the connection between VPN peers. DPD
allows dead connections to be cleaned up and new VPN tunnels established. DPD is
not supported by all vendors.

6

Select OK to save the phase 1 parameters.

Enable

Select Enable if you expect the IPSec VPN traffic to go through a gateway

that performs NAT. If no NAT device is detected, enabling NAT traversal will

have no effect. Both ends of the VPN (both VPN peers) must have the

same NAT traversal setting.

Keepalive
Frequency

If you enable NAT-traversal, you can change the number of seconds in the

Keepalive Frequency field. This number specifies, in seconds, how

frequently empty UDP packets are sent through the NAT device to ensure

that the NAT mapping does not change until P1 and P2 keylife expires. The

keepalive frequency can be from 0 to 900 seconds.

Enable

Select Enable to enable DPD between the local and remote peers.

Short Idle

Set the time, in seconds, that a link must remain unused before the local

VPN peer considers it to be idle. After this period of time expires, whenever

the local peer sends traffic to the remote VPN peer it will also send a DPD

probe to determine the status of the link. To control the length of time that

the FortiGate unit takes to detect a dead peer with DPD probes, configure

the Retry Count and the Retry Interval.

Retry Count

Set the number of times that the local VPN peer will retry the DPD probe

before it considers the channel to be dead and tears down the security

association (SA). To avoid false negatives due to congestion or other

transient failures, set the retry count to a sufficiently high value for your

network.

Retry Interval

Set the time, in seconds, that the local VPN peer unit waits between

retrying DPD probes.

Long Idle

Set the period of time, in seconds, that a link must remain unused before

the local VPN peer pro-actively probes its state. After this period of time

expires, the local peer will send a DPD probe to determine the status of the

link even if there is no traffic between the local peer and the remote peer.

See also other documents in the category Fortinet Hardware: