SonicWALL SonicOS Enhanced 2.2, Administrator'S Manual

Page: 131 / 190

Page 118 SonicWALL SonicOS Standard Administrator’s Guide
• Enable NAT Traversal - Select this setting is a NAT device is located between your VPN endpoints.
IPSec VPNs protect traffic exchanged between authenticated endpoints, but authenticated endpoints
cannot be dynamically re-mapped mid-session for NAT traversal to work. Therefore, to preserve a
dynamic NAT binding for the life of an IPSec session, a 1-byte UDP is designated as a “NAT Traversal
keepalive” and acts as a “heartbeat” sent by the VPN device behind the NAT or NAPT device. The
“keepalive” is silently discarded by the IPSec peer.
• Clean up Active Tunnels when Peer Gateway DNS names resolves to a different IP address -
Breaks down SAs associated with old IP addresses and reconnects to the peer gateway.
VPN>DHCP over VPN
DHCP over VPN allows a Host (DHCP Client) behind a SonicWALL obtain an IP address lease from a
DHCP server at the other end of a VPN tunnel. In some network deployments, it is desirable to have all
VPN networks on one logical IP subnet, and create the appearance of all VPN networks residing in one
IP subnet address space. This facilitates IP address administration for the networks using VPN tunnels.
DHCP Relay Mode
The SonicWALL appliance at the remote and central site are configured for VPN tunnels for initial DHCP
traffic as well as subsequent IP traffic between the sites. The SonicWALL at the remote site (Remote
Gateway) passes DHCP broadcast packets through its VPN tunnel. The SonicWALL at the central site
(Central Gateway) relays DHCP packets from the client on the remote network to the DHCP server on
the central site.