| If you choose Auto Key ,
specify the following: Click Show Advanced Options to access
the remaining fields. Enable Replay Protection —Select to
protect against replay attacks. Anti-replay is a sub-protocol
of IPSec and is part of the Internet Engineering Task Force (IETF)
Request for Comments (RFC) 6479. The anti-replay protocol is used
to prevent hackers from injecting or making changes in packets that
travel from a source to a destination and uses a unidirectional
security association in order to establish a secure connection between
two nodes in the network. After a secure connection is established,
the anti-replay protocol uses packet sequence numbers to defeat
replay attacks. When the source sends a message, it adds a sequence
number to its packet; the sequence number starts at 0 and is incremented
by 1 for each subsequent packet. The destination maintains the sequence
of numbers in a sliding window format, maintains a record
of the sequence numbers of validated received packets, and rejects
all packets that have a sequence number that is lower than the lowest
in the sliding window (packets that are too old) or packets that
already appear in the sliding window (duplicate or replayed packets).
Accepted packets, after they are validated, update the sliding window,
displacing the lowest sequence number out of the window if it was
already full. If you enable replay protection, select the Anti Replay
Window to use. You can select a anti-replay window size
of 64, 128, 256, 512, 1024, 2048, or 4096. The default is 1024. Copy TOS Header —Copy the (Type of
Service) TOS field from the inner IP header to the outer IP header
of the encapsulated packets in order to preserve the original TOS
information. This also copies the Explicit Congestion Notification (ECN)
field. Add GRE Encapsulation —Select to add
a GRE header encapsulated in the IPSec tunnel. The firewall generates
a GRE header after the IPSec header for interoperability with other
vendor tunnel endpoints, thus sharing a GRE tunnel with the IPSec
tunnel. Tunnel Monitor —Select to alert the
device administrator of tunnel failures and to provide automatic
failover to another interface.
You need to assign an
IP address to the tunnel interface for monitoring.
Destination IP —Specify
an IP address on the other side of the tunnel that the tunnel monitor
will use to determine if the tunnel is working properly. Profile —Select an existing profile
that will determine the actions that are taken if the tunnel fails.
If the action specified in the monitor profile is wait-recover, the
firewall will wait for the tunnel to become functional and will NOT
seek an alternate path with the route table. If the fail-over action
is used, the firewall will check the route table to see if there is
an alternate route that can be used to reach the destination. For more
information, see Network
> Network Profiles > Monitor.
|