tainy hmod-v3-io, tainy hmod-l3-io - Dr. Neuhaus ...
tainy hmod-v3-io, tainy hmod-l3-io - Dr. Neuhaus ...
tainy hmod-v3-io, tainy hmod-l3-io - Dr. Neuhaus ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
VPN connect<strong>io</strong>ns<br />
ISAKMP-SA lifetime<br />
IPsec-SA<br />
lifetime<br />
The keys for an IPsec connect<strong>io</strong>n are renewed at certain intervals in order to<br />
increase the effort required to attack an IPsec connect<strong>io</strong>n.<br />
Specify the lifetime (in seconds) of the keys agreed on for the ISAKMP-SA<br />
and IPsec-SA.<br />
The lifetime can be defined differently for ISAKMP-SA and IPsec-SA.<br />
NAT-T There may be a NAT router between the TAINY xMOD-V3-IO and the VPN<br />
gateway of the remote network. Not all NAT routers allow IPsec data packets<br />
to go through. It may therefore be necessary to encapsulate the IPsec data<br />
packets in UDP packets so that they can go through the NAT router.<br />
Enable<br />
dead peer detect<strong>io</strong>n<br />
On: If the TAINY xMOD-V3-IO detects a NAT router that does not<br />
let the IPsec data packets through, then UDP encapsulat<strong>io</strong>n is<br />
started automatically.<br />
Force: During negotiat<strong>io</strong>n of the connect<strong>io</strong>n parameters for the VPN<br />
connect<strong>io</strong>n, encapsulated transmiss<strong>io</strong>n of the data packets<br />
during the connect<strong>io</strong>n is insisted upon.<br />
Off: The NAT-T funct<strong>io</strong>n is switched off<br />
If the remote stat<strong>io</strong>n supports the dead peer detect<strong>io</strong>n (DPD) protocol, then<br />
the partner in quest<strong>io</strong>n can detect whether the IPsec connect<strong>io</strong>n is still valid<br />
or not, meaning that it may have to be re-established. Without DPD,<br />
depending on the configurat<strong>io</strong>n it may be necessary to wait until the SA<br />
lifetime elapses or the connect<strong>io</strong>n has to be re-initiated manually. To check<br />
whether the IPsec connect<strong>io</strong>n is still valid, the dead peer detect<strong>io</strong>n sends<br />
DPD requests to the remote stat<strong>io</strong>n itself. If there is no answer, then after the<br />
permitted number of failed attempts the IPsec connect<strong>io</strong>n is considered to be<br />
interrupted.<br />
Warning<br />
Sending the DPD requests and using NAT-T increases the amount of data<br />
sent and received over the mobile data service connect<strong>io</strong>n (HSPA+, UMTS,<br />
EGPRS, GPRS). Depending on the selected settings, the addit<strong>io</strong>nal data<br />
traffic can amount to 5 Mbyte per month or more. This can lead to addit<strong>io</strong>nal<br />
costs.<br />
Yes Dead peer detect<strong>io</strong>n is switched on. Attempts are made to reestablish<br />
the IPsec connect<strong>io</strong>n if it has been declared dead,<br />
independently of the transmiss<strong>io</strong>n of user data.<br />
No Dead peer detect<strong>io</strong>n is switched off<br />
DPD - delay (seconds) Time per<strong>io</strong>d in seconds after which DPD requests will be sent. These<br />
requests test whether the remote stat<strong>io</strong>n is still available.<br />
DPD - timeout<br />
(seconds)<br />
Time per<strong>io</strong>d in seconds after which the connect<strong>io</strong>n to the remote stat<strong>io</strong>n will<br />
be declared dead if no response has been made to the DPD requests.<br />
DPD – maximum failures Number of failed attempts permitted before the IPsec connect<strong>io</strong>n is<br />
considered to be interrupted.<br />
Factory setting The factory settings used by the TAINY xMOD-V3-IO for a newly created<br />
connect<strong>io</strong>n are as follows:<br />
Name NewConnect<strong>io</strong>n<br />
Enabled No (switched off)<br />
Authenticat<strong>io</strong>n method CA certificate<br />
Remote ID NONE<br />
Local ID NONE<br />
Page 70 of 111 TAINY xMOD