Configuring Advanced IPsec Settings

  1. Go to Remote Access > IPsec > Advanced.

  1. In the Local X.509 Certificate section, select a certificate.

    By default, the Local X509 Cert is used for IPsec connections to authenticate the server.

  2. Click Apply.

  3. In the Dead Peer Detection (DPD) section, turn on DPD.

    DPD is enabled by default. It is used to automatically determine whether a remote IPsec peer can still be reached. Usually, it is safe to always enable this option. The IPsec peers automatically determine whether the remote side supports DPD and fall back to normal mode if not.

  4. Click Apply.

  5. In the NAT Traversal (NAT-T) section, enable NAT-T.

    NAT-T is enabled by default with a keepalive of 60 seconds. It allows IPsec traffic to pass upstream systems that use Network Address Translation (NAT). You can change the keepalive interval for NAT traversal in the field NAT traversal keepalive.

  6. Click Apply.

  7. Configure CRL Handling (optional).

    There might be situations, in which the provider of a certificate attempts to revoke the confirmation awarded with still valid certificates, for example if it has become known that the receiver of the certificate fraudulently obtained it by using wrong data (name, etc.) or because an attacker has got hold of the private key, which is part of the certified public key. For this purpose, so-called Certificate Revocation Lists or CRLs are used. They normally contain the serial numbers of those certificates of a certifying instance that have been held invalid before their expiration.

    • Automatic fetching:Automatically requests the CRL through the URL defined in the partner certificate via HTTP, Anonymous FTP, or LDAP Version 3. On request, the CRL can be downloaded, saved, and updated, once the validity period has expired.
    • Strict policy: Using the option, any partner certificate without a corresponding CRL is rejected.
  8. Click Apply.

  1. Open the Remote Access > Advanced page.

    You can define name servers (DNS and WINS) and the name service domain that must be assigned to hosts during the connection establishment.

  1. Click Apply.