fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Auto Key phase 1 parameters Defining IKE negotiation parameters<br />
NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do<br />
not contain a port number. As a result, the packets cannot be demultiplexed. To work<br />
around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT<br />
modifications. When the Nat-traversal option is enabled, outbound encrypted packets<br />
are wrapped inside a UDP IP header that contains a port number. This extra<br />
encapsulation allows NAT devices to change the port number without modifying the<br />
IPsec packet directly.<br />
To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option<br />
must be enabled whenever a NAT device exists between two FortiGate VPN peers or a<br />
FortiGate unit and a dialup client such as FortiClient. On the receiving end, the FortiGate<br />
unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.<br />
NAT keepalive frequency<br />
When a NAT device performs network address translation on a flow of packets, the NAT<br />
device determines how long the new address will remain valid if the flow of traffic stops<br />
(for example, the connected VPN peer may be idle). The device may reclaim and reuse a<br />
NAT address when a connection remains idle for too long.<br />
To work around this, when you enable NAT traversal specify how often the FortiGate unit<br />
sends periodic keepalive packets through the NAT device in order to ensure that the NAT<br />
address mapping does not change during the lifetime of a session. To be effetive, the<br />
keepalive interval msut be smaller than the session lifetime value used by the NAT device.<br />
The keepalive packet is a 138-byte ISAKMP exchange.<br />
Dead peer detection<br />
Sometimes, due to routing issues or other difficulties, the communication link between a<br />
FortiGate unit and a VPN peer or client may go down—packets could be lost if the<br />
connection is left to time out on its own. The FortiGate unit provides a mechanism called<br />
Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server,<br />
to prevent this situation and reestablish IKE negotiations automatically before a<br />
connection times out: the active phase 1 security associations are caught and<br />
renegotiated (rekeyed) before the phase 1 encryption key expires.<br />
By default, DPD sends probe messages every five seconds by default (see dpdretryinterval<br />
in the FortiGate CLI Reference). If you are experiencing high network<br />
traffic, you can experiment with increasing the ping interval. However longer intervals will<br />
require more traffic to detect dead peers which will result in more traffic.<br />
In the web-based manager, the Dead Peer Detection option can be enabled when you<br />
define advanced phase 1 options. The config vpn <strong>ipsec</strong> phase1 CLI command<br />
supports additional options for specifying a retry count and a retry interval.<br />
For more information about these commands and the related config router<br />
gwdetect CLI command, see the FortiGate CLI Reference.<br />
For example, enter the following CLI commands to configure dead peer detection on the<br />
existing IPsec Phase1 configuration called test to use 15 second intervals and to wait<br />
for 3 missed attempts before declaring the peer dead and taking action.<br />
config vpn <strong>ipsec</strong> phase1<br />
edit test<br />
set dpd enable<br />
set dpd-retryinveral 15<br />
set dpd-retrycount 3<br />
next<br />
end<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 53<br />
http://docs.fortinet.com/