Re: VPN reconnect - dslreports.com

Author	All Replies
adiinfo join:2005-11-02 Switzerland	reply to adiinfo Re: VPN reconnect Ok first of all, thanks for the detailed discussion of the Zyxel VPN reconnect behevior. Also, i did not mention that i was talking about dynamic VPN tunnels, so all run over one dynamic profile (one fix IP at the ZyWall 50, everything dynamic at the peers). a while ago, we did some testing on a ZyWall 35, FirmWare 3.6x and found the results to be somewhat inconsistent. Overall, the results were not really better, just different. So we decided to stay with the factory settings for the 3 timers. I do not say its not possible to get better results, we might have not tried hard enough. But in my opinion the main question remains: why does the ZyWall not drop a dynamic VPN tunnel when a new request from a peer comes in? When the ZyWall is able to determine that a Tunnel from a specific peer already exists, so why not drop it and let it rebuild by the peer site??? As a dynamic VPN tunnel can only be build by the peer site, no harm can be done in dropping it. Andrej
	to forum · permalink · · 2005-11-04 08:39:33 ·
DavidJWood Premium join:2001-10-12 UK	Defining the x in 3.6x when talking about VPNs on the Z35 is important - the VPN code went through a significant redesign for 3.64. If your previous experiments were with 3.62 or 3.63, it's worth testing again with 4.00 (which also has the new VPN code). David
	to forum · permalink · · 2005-11-04 09:16:48 ·
maxusa Premium join:2004-05-05 USA	reply to adiinfo The reason for not dropping a dynamic tunnel appears to be that there is no way of knowing apriori that this is the same or different node/user calling. Suppose several users in the same remote site are trying to IPsec pass-through. During the initial IPsec negotiation, it is very difficult/risky to make a determination to drop something else. Besides this and obvious complexity, there might be other reasons. In theory, the 2 timers, nailed-up/keepAlive, and chk_peer shall provide the solution. As we know, however, technology not always works as expected.
	to forum · permalink · · 2005-11-04 12:31:57 ·
maxusa Premium join:2004-05-05 USA	reply to adiinfo Have you tried to move IPsec tunnels to their own rules/policies? Much better control and troubleshooting. Made our lives easier.
	to forum · permalink · · 2005-11-04 12:51:25 ·
adiinfo join:2005-11-02 Switzerland	how? to my knowledge, the concept for dynamic VPN with Zyxel is to make one policy with remote network of 0.0.0.0. So all dynamic VPN's connect on this one policy with 0.0.0.0 we do not want to use ddns or buy static addresses a the peer sites. Andrej
	to forum · permalink · · 2005-11-04 15:46:38 ·
maxusa Premium join:2004-05-05 USA	Why not use DDNS?
	to forum · permalink · · 2005-11-05 02:15:48 ·


Thursday, 26-Nov 00:28:33	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF