VPN > Advanced
582
SonicOS Enhanced 4.0 Administrator Guide
–
Dead Peer Detection Interval - Enter the number of seconds between “heartbeats.”
The default value is 60 seconds.
–
Failure Trigger Level (missed heartbeats) - Enter the number of missed heartbeats.
The default value is 3. If the trigger level is reached, the VPN connection is dropped by
the SonicWALL security appliance. The SonicWALL security appliance uses a UDP
packet protected by Phase 1 Encryption as the heartbeat.
–
Enable Dead Peer Detection for Idle VPN Sessions - Select this setting if you want
idle VPN connections to be dropped by the SonicWALL security appliance after the time
value defined in the Dead Peer Detection Interval for Idle VPN Sessions (seconds)
field. The default value is 600 seconds (10 minutes).
• Enable Fragmented Packet Handling - If the VPN log report shows the log message
“Fragmented IPsec packet dropped”, select this feature. Do not select it until the VPN
tunnel is established and in operation.
Ignore DF (Don't Fragment) Bit - When you select Enable Fragmented Packet
Handling, the Ignore DF (Don't Fragment) Bit setting becomes active.
• Enable NAT Traversal - Select this setting is a NAT device is located between your VPN
endpoints. IPsec VPNs protect traffic exchanged between authenticated endpoints, but
authenticated endpoints cannot be dynamically re-mapped mid-session for NAT traversal
to work. Therefore, to preserve a dynamic NAT binding for the life of an IPsec session, a 1-
byte UDP is designated as a “NAT Traversal keepalive” and acts as a “heartbeat” sent by
the VPN device behind the NAT or NAPT device. The “keepalive” is silently discarded by
the IPsec peer.
• Clean up Active Tunnels when Peer Gateway DNS names resolves to a different IP
address - Breaks down SAs associated with old IP addresses and reconnects to the peer
gateway.
• Preserve IKE Port for Pass-Through Connections - Preserves UDP 500/4500 source
port and IP address information for pass-through VPN connections.
• Enable OCSP Checking and OCSP Responder URL - Enables use of Online Certificate
Status Protocol (OCSP) to check VPN certificate status and specifies the URL where to
check certificate status. See
Using OCSP with SonicWALL Security Appliances.
• Send IKEv2 Cookie Notify - Sends cookies to IKEv2 peers as an authentication tool.
• Use RADIUS in - When using RADUIS to authenticate VPN client users, RADIUS will be
used in its MSCHAP (or MSCHAPv2) mode. The primary reason for choosing to do this
would be so that VPN client users can make use of the MSCHAP feature to allow them to
change expired passwords at login time.
Also if this is set and LDAP is selected as the Authentication method for login on the
Users > Settings page, but LDAP is not configured in a way that will allow password
updates, then password updates for VPN client users will be done using MSCHAP-mode
RADIUS after using LDAP to authenticate the user.
Note Password updates can only be done by LDAP when using Active Directory with TLS
and binding to it using an administrative account, or when using Novell eDirectory.