IPSec Settings
When IPSec VPN is used, additional settings are needed. You can make settings for the blacklist function, NAT-T and various log events.
Blacklisting
When a road warrior disconnects, its IP address will be blacklisted for a while. Here, you specify the time interval for the blacklisting and what to do with the blocked packets.
You can read more about blacklisting in the IPsec Peers section.
Blacklist interval
Specify the time interval (in minutes) for the blacklisting of an IP address.
Policy for packets from blacklisted IP addresses
When an IP address is blacklisted, all packets to and from this address (except for new tunnel negotiations) are blocked. Here, you specify whether they should be rejected or discarded. Discard IP packets means that the firewall ignores the IP packets without replying that the packet did not arrive. Reject IP packets makes the firewall reply with an ICMP packet telling that the packet did not arrive.
NAT Traversal (NAT-T)
Ingate Firewall supports IPSec NAT-T as defined in the Internet-Drafts ietf-ipsec-nat-t-ike and ietf-ipsec-udp-encaps.
NAT-T means that IPSec uses UDP ports 500 and 4500, instead of UDP port 500 and the ESP protocol. This makes it possible for NAT-T capable IPSec peers to connect to Ingate Firewall even if they are located behind a non-IPSec-aware NAT device. It also makes it possible for Ingate Firewall to connect to NAT-T capable peers if it is itself located behind such a NAT device. This also means that the firewall's UDP ports 500 and 4500 are blocked from other use.
When the firewall is located behind a NAT device, it sends keep alive packets to maintain the connection. You can also force it to send keep alive packets for all NAT-T connections.
Keep alive interval
Enter the time interval (in seconds) the firewall should use when sending keep alive packets.
Force keep alive
You can force the firewall to send keep alive packets for all NAT-T connections, not just when it itself is located behind a NAT device. Select here if this function should be On or Off.
Logging
Ingate Firewall generates log messages for different events and for the traffic that arrives at the firewall. By selecting proper log classes, you can instruct the firewall how it should handle these messages.
The same settings can also be found on the Logging Configuration page under Logging.
Log class for IPsec key negotiation
Here, you set the log class for new negotiations of IPsec connections keys.
Log class for IKE and NAT-T packets
Here, you set the log class for the packets used for IKE key negotiations and for NAT-T packets. As they both use the same port on the firewall, it will log both using the same log class.
Log class for ESP packets
Specify what log class the firewall should use for encrypted packets (ESP packets to the firewall). Logging of encrypted packets will generate a lot of log events.
Log class for IPsec user authentications
Here, you set the log class for firewall messages about road warrior authentications via RADIUS and their disconnections.
Log class for packets to and from blacklisted IP addresses
Here, you set the log class for the packets that are rejected or discarded according to the blacklisting policy selected above.
Log class for blacklisting events
Here, you specify how the firewall should report beginnings and ends of blacklisting events.
Save
Saves the IPSec Settings configuration to the preliminary configuration.
Undo
Reverts all of the above fields to their previous configuration.