Netopia 3300 User Manual

6-8 Firmware User Guide

Normally it is not necessar y to change the settings of the items on the Advanced IKE Phase 1 Options screen.
Most of these settings exist for ensuring compatibility with remote IKE implementations that may have cer tain
limitations.

•

The Negotiation pop-up menu allows you to specify the way the device will respond to a connection
attempt. Normal (the default) is a two-way mode; Initiate Only or Respond Only permit limiting the
connection to one-way only.

•

The SA Use Policy pop-up menu specifies the policy that the Router will use to determine which Phase 1
SAs to use when multiple valid Phase 1 SAs are available for transmitting traffic on an IPsec tunnel.

Because the Router normally re–keys prior to the expiration of the current Phase 1 SAs, multiple valid
Phase 1 SAs may exist during the period of time after the Router has re-keyed and established new Phase
1 SAs and the time at which the old Phase 1 SAs expire.

•

If you select Newest SAs Immediately, the Router will begin using the newly created Phase 1 SAs
immediately after they are negotiated.

•

If you select Old SAs Until Expired, the Router will continue using the old Phase 1 SAs until they expire
and will begin using the newly created Phase 1 SAs only after the old ones are no longer valid.

•

Allow Dangling Phase 2 SAs toggles whether or not Phase 2 SAs are permitted to sur vive the expiration of
the Phase 1 SAs under which they were created. Phase 2 SAs “dangle” when the Phase 1 SA under which
they were created expires before they do. There is no requirement that the Phase 1 SA exist for the
duration of the Phase 2 SA’s lifetime, but it is convenient because a Delete message may be sent.

•

Phase 1 SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The
range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default
value is 28,800 seconds. The value zero specifies the default.

•

Send Initial Contact Message toggles whether or not the IKE negotiation process begins by sending an
initial contact message. The default is Yes.

•

Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE
Phase 1 messages.

•

Independent Phase 2 Re-keys toggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this
item is set to Yes (the default), Phase 2 re-keys will be per formed independently when necessar y without
requiring a Phase 1 re-key. If this item is set to No, each Phase 2 re-key will be preceded by a Phase 1
re-key. This item should normally be set to Yes unless the device is communicating with a non-compliant
remote IPsec peer that requires that a Phase 1 re-key precede each Phase 2 re-key.

•

Strict Port Policy toggles whether or not IKE requires packets to originate from the IANA IKE por t (500).
Set to Yes, the Router will listen only to por t 500 and source its packets from por t 500. Set to No, the
Router will return traffic to whatever por t originated it.

•

Invalid SPI recovery

Toggling this option to Yes allows the Router to re-establish the tunnel if either the Netopia Router or the
peer gateway is rebooted.

If an IPSec packet that does not have a valid SPI is received from the peer address, a new Phase 1
negotiation is initiated to the peer in order to securely transmit an invalid-SPI message. This will cause a
renegotiation of new IPSec SAs.