Netopia 3346N-ENT User Guide (en)

Download
6-8  Firmware User Guide
Normally it is not necessar y to change the settings of the items on the Advanced IKE Phase 1 Options screen. 
Most of these settings exist for ensuring compatibility with remote IKE implementations that may have cer tain 
limitations.
The Negotiation pop-up menu allows you to specify the way the device will respond to a connection 
attempt. Normal (the default) is a two-way mode; Initiate Only or Respond Only permit limiting the 
connection to one-way only.
The SA Use Policy pop-up menu specifies the policy that the Router will use to determine which Phase 1 
SAs to use when multiple valid Phase 1 SAs are available for transmitting traffic on an IPsec tunnel. 
Because the Router normally re–keys prior to the expiration of the current Phase 1 SAs, multiple valid 
Phase 1 SAs may exist during the period of time after the Router has re-keyed and established new Phase 
1 SAs and the time at which the old Phase 1 SAs expire. 
If you select Newest SAs Immediately, the Router will begin using the newly created Phase 1 SAs 
immediately after they are negotiated.
If you select Old SAs Until Expired, the Router will continue using the old Phase 1 SAs until they expire 
and will begin using the newly created Phase 1 SAs only after the old ones are no longer valid.
Allow Dangling Phase 2 SAs toggles whether or not Phase 2 SAs are permitted to sur vive the expiration of 
the Phase 1 SAs under which they were created. Phase 2 SAs “dangle” when the Phase 1 SA under which 
they were created expires before they do. There is no requirement that the Phase 1 SA exist for the 
duration of the Phase 2 SA’s lifetime, but it is convenient because a Delete message may be sent. 
Phase 1 SA Lifetime (seconds) specifies the duration in seconds for which the SA will remain valid. The 
range of permissible values is the set of non-negative integer values between 0 and 2^32-1. The default 
value is 28,800 seconds. The value zero specifies the default.
Send Initial Contact Message toggles whether or not the IKE negotiation process begins by sending an 
initial contact message. The default is Yes.
Include Vendor-ID Payload toggles whether or not the Router includes the vendor-ID payload in its IKE 
Phase 1 messages.
Independent Phase 2 Re-keys toggles whether or not a Phase 2 re-keys requires a Phase 1 re-key. If this 
item is set to Yes (the default), Phase 2 re-keys will be per formed independently when necessar y without 
requiring a Phase 1 re-key. If this item is set to No, each Phase 2 re-key will be preceded by a Phase 1 
re-key. This item should normally be set to Yes unless the device is communicating with a non-compliant 
remote IPsec peer that requires that a Phase 1 re-key precede each Phase 2 re-key.
Strict Port Policy toggles whether or not IKE requires packets to originate from the IANA IKE por t (500). 
Set to Yes, the Router will listen only to por t 500 and source its packets from por t 500. Set to No, the 
Router will return traffic to whatever por t originated it.
Invalid SPI recovery
Toggling this option to Yes allows the Router to re-establish the tunnel if either the Netopia Router or the 
peer gateway is rebooted.
If an IPSec packet that does not have a valid SPI is received from the peer address, a new Phase 1 
negotiation is initiated to the peer in order to securely transmit an invalid-SPI message. This will cause a 
renegotiation of new IPSec SAs.