Configuring Advanced IPsec Settings

  1. Open the Remote Access > IPsec > Advanced tab.

  1. In the Local X.509 Certificate section, select the certificate.

    By default, the local X.509 certificate is used for IPsec connections to authenticate the server.

  2. Click Apply to save your settings.

  3. In the Dead Peer Detection (DPD) section, enable DPD.

    This option is enabled by default. It is used to automatically determine whether a remote IPsec peer can still be reached. Usually it is safe to always enable this option. The IPsec peers automatically determine whether the remote side supports Dead Peer Detection or not, and fall back to normal mode if necessary.

  4. Click Apply to save your settings.

  5. In the NAT Traversal (NAT-T) section, enable NAT-T.

    This option is enabled by default with a keepalive of 60 seconds. It allows IPsec traffic to pass upstream systems which use Network Address Translation (NAT). If necessary, you can change the keepalive interval for NAT traversal in the field NAT traversal keepalive.

  6. Click Apply to save your settings.

  7. Optionally, make some settings in the CRL Handling section.

    There might be situations, in which the provider of a certificate attempts to revoke the confirmation awarded with still valid certificates, for example if it has become known that the receiver of the certificate fraudulently obtained it by using wrong data (name, etc.) or because an attacker has got hold of the private key, which is part of the certified public key. For this purpose, so-called Certificate Revocation Lists or CRLs are used. They normally contain the serial numbers of those certificates of a certifying instance, that have been held invalid before their expiration.

    • Automatic fetching: This option automatically requests the CRL through the URL defined in the partner certificate via HTTP, Anonymous FTP, or LDAP Version 3. On request, the CRL can be downloaded, saved, and updated, once the validity period has expired.
    • Strict policy: Using the option, any partner certificate without a corresponding CRL is rejected.
  8. Click Apply to save your settings.

  9. Optionally, enable Preshared Key Probing.

    In the Preshared Key Probing section, activate the option Enable probing of preshared keys if you want to use different preshared keys (PSKs) for your IPsec connections in respond-only mode. This option applies to L2TP-over-IPsec, IPsec remote access, and IPsec site-to-site connections with a respond-only remote gateway.

  10. Click Apply to save your settings.

  1. Open the Remote Access > Advanced page.

    You can define name servers (DNS and WINS) and the name service domain that is assigned to hosts during the connection establishment.

  1. Click Apply to save your settings.