186
Fortinet Inc.
AutoIKE IPSec VPNs
IPSec VPN
4
Optionally, configure NAT Traversal.
5
Optionally, configure Dead Peer Detection.
Use these settings to monitor the status of the connection between VPN peers. DPD
allows dead connections to be cleaned up and new VPN tunnels established. DPD is
not supported by all vendors.
6
Select OK to save the phase 1 parameters.
Enable
Select Enable if you expect the IPSec VPN traffic to go through a gateway
that performs NAT. If no NAT device is detected, enabling NAT traversal will
have no effect. Both ends of the VPN (both VPN peers) must have the
same NAT traversal setting.
Keepalive
Frequency
If you enable NAT-traversal, you can change the number of seconds in the
Keepalive Frequency field. This number specifies, in seconds, how
frequently empty UDP packets are sent through the NAT device to ensure
that the NAT mapping does not change until P1 and P2 keylife expires. The
keepalive frequency can be from 0 to 900 seconds.
Enable
Select Enable to enable DPD between the local and remote peers.
Short Idle
Set the time, in seconds, that a link must remain unused before the local
VPN peer considers it to be idle. After this period of time expires, whenever
the local peer sends traffic to the remote VPN peer it will also send a DPD
probe to determine the status of the link. To control the length of time that
the FortiGate unit takes to detect a dead peer with DPD probes, configure
the Retry Count and the Retry Interval.
Retry Count
Set the number of times that the local VPN peer will retry the DPD probe
before it considers the channel to be dead and tears down the security
association (SA). To avoid false negatives due to congestion or other
transient failures, set the retry count to a sufficiently high value for your
network.
Retry Interval
Set the time, in seconds, that the local VPN peer unit waits between
retrying DPD probes.
Long Idle
Set the period of time, in seconds, that a link must remain unused before
the local VPN peer pro-actively probes its state. After this period of time
expires, the local peer will send a DPD probe to determine the status of the
link even if there is no traffic between the local peer and the remote peer.
Summary of Contents for FortiGate 60R
Page 12: ...Contents 12 Fortinet Inc...
Page 26: ...26 Fortinet Inc Customer service and technical support Introduction...
Page 42: ...42 Fortinet Inc Next steps Getting started...
Page 138: ...138 Fortinet Inc Customizing replacement messages System configuration...
Page 228: ...228 Fortinet Inc Logging attacks Network Intrusion Detection System NIDS...
Page 242: ...242 Fortinet Inc Exempt URL list Web filtering...
Page 256: ...256 Fortinet Inc Configuring alert email Logging and reporting...
Page 260: ...260 Fortinet Inc Glossary...
Page 270: ...270 Fortinet Inc Index...