Nat-traversal, Connection timeout, Interoperability – equinux VPN Tracker 8.1.1 User Manual

Send only traffic for the addresses below over VPN

Use this setting to send only traffic for certain addresses through the VPN. This
is useful for VPNs that require a Host to Everywhere topology if you only need
to reach certain hosts over the VPN, but don’t want all your Internet traffic to
go through the VPN.

Traffic Control is limited by the VPN’s topology and remote net-
works. It is not possible to send traffic over the VPN for addresses
that are not part of the remote networks.

Force traffic over the VPN if remote networks conflict with local networks

Private IP addresses are not globally unique. If your VPN connects to a “popu-
lar” network such as 192.168.1.0/24, it can easily happen that you find yourself
connected to an 192.168.1.0/24 network locally as well. VPN Tracker will refuse
to connect because there’s no way to tell which traffic to send over the VPN,
and which needs to reach the local network.

If you do not need any of the resources on the local network, VPN Tracker can
try to connect anyway if you turn on this setting. VPN Tracker will exempt
critical local addresses (router, DNS, DHCP), but otherwise force all traffic for
the remote network(s) over the VPN.

Availability: always

NAT-Traversal

Set NAT-Traversal to "Automatic".

There are some very specific circumstances in which you may need to change
the setting, please read and understand → VPN and Network Address Transla-
tion (NAT), before making any changes to this setting.

Availability: always

Connection Timeout

The default settings are more than sufficient for most setups. Only in extreme
network environments with high packet loss or extremely high latency (think
“connecting from a space probe back to earth”) will you have to increase the
timeout (and/or the number of times VPN Tracker attempts to resend a
packet).

Availability: always

Interoperability

Send INITIAL-CONTACT Message

For some devices it is necessary to send this message when establishing a
VPN connection in order to tell the VPN gateway to clean up “old” VPN con-
nections. However, other devices will disconnect all other VPN users upon re-
ceiving this message (in particular if multiple VPN users connect from the
same public IP address, or when users share an XAUTH account).

Availability: According to the selected device profile.

Advertise as Dead Peer Detection Capable

VPN Tracker supports Dead Peer Detection (DPD) to detect if the other end of
the connection is no longer responding. When this setting is turned on, VPN
Tracker will tell the VPN gateway that it supports Dead Peer Detection.

For most VPN gateways (whether they support Dead Peer Detection or not)
this option should be turned on. Only turn it off if you suspect that VPN
Tracker offering to perform Dead Peer Detection causes a problem on the VPN
gateway, or if the VPN gateway’s Dead Peer Detection implementation is
broken.

Related Settings: Advanced > Interoperability > Perform active Dead Peer
Detection

Availability: According to the selected device profile.

54