Table of Contents
Advertisement
Chapter 9: VPN
Default: Disabled
IPsec SA Keep Time
The length of time in seconds that an SA will linger after a client initiated delete.
Default: Disabled
Require Cookie
This forces the requirement for cookies and is used for testing purposes only.
Default: Disabled
Use Client's Attribute
When enabled, use the client requested subnet attributes when allocating IP addresses using
config mode.
Default: Disabled
IPsec IP Address Validation
When enabled, the IPsec tunnel is deleted if decrypted source IP addresses do not match the
remote network.
Default: Disabled
Disable Callstation ID
If disabled, NetDefendOS sends the additional attributes Calling-Station-ID and Called-Station-ID
in the RADIUS accounting messages it sends as part of EAP authentication.
Called-Station-ID is always set by NetDefendOS to the value of the responder identity sent during
the IKEv2 negotiation. If no identity is available then the default value of "1234567891234321" is
used.
Default: Disabled
Allow Port Change
When a NAT device has been detected between the client and the NetDefend Firewall, IKEv2
negotiation will switch from port 500 to 4500 and all ESP traffic will be encapsulated in UDP
packets. Normally this port change is only done when there is a NAT device involved but some
clients may prefer port 4500 instead of 500 even when there is no NAT. If this is the case,
NetDefendOS can accept the IKEv2 connection but when the client sends IKE data, it is sent as
raw ESP packets and without this setting enabled, NetDefendOS will drop the packets since they
will be expected to be encapsulated in UDP.
When enabled, this setting allows the IKE port change even though there is no NAT.
Default: Disabled
Log Key Material
726
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
