VPN Monitoring
This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor“.
The “rekey” option will cause the Netscreen to continuously try and send ICMP down the tunnel regardless of whether there are any valid SA`s.
When the “optimized” option is enabled the Netscreen will consider any traffic passing the tunnel as an indication that the tunnel is active rather then sending ICMP Pings.
When VPN Monitoring is used with Route based VPN`s, the associated tunnel routes will be disabled in the event of the tunnel being classed as down. This allows for the re-routing of traffic in the event of particular tunnel failures.
Using the “get sa” command, you can obtain the SA and Link Status. This can be found under the “Sta” column (SA/Link). If the VPN Monitor is not enabled you will see a dash for the Link status such as (A/-).
ns5gt-> get sa
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 192.168.1.107 500 esp: des/md5 ef1d1675 3549 unlim A/U -1 0
00000002> 192.168.1.107 500 esp: des/md5 b41eba07 3549 unlim A/U -1 0
VPN Groups
This allows you to add a number of VPN gateways to a VPN group. In the event of failure the traffic flow is sent through another gateway within the group.
Using IKE heart beats and recovery attempts with TCP-SYN flag checking the gateway can failover to another gateway without any disruption to the traffic flow.To ensure that the other gateways can establish new tunnels in the event of failover without the need of the endpoints having to reconnect (i.e an initial SYN not being required) you will need to set the following setting : `unset flow tcp-syn-check-in-tunnel`
VPN Groups can be configured within “VPN`s | AutoKey Advanced | VPN Groups“
Note : VPN Groups only support Policy based VPN`s.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial