When an IPsec tunnel is not in use, it can be shut down after a set period to release resources on appliances. However, if traffic must pass through this tunnel, negotiations must be started all over again. This will generate latency and cause minor packet loss. With the keepalive mechanism, traffic can be generated artificially in an IPsec tunnel to keep it running. This type of traffic is of no use when it is received and can be filtered without being logged.
R48 | Configure Keepalive
The Keepalive function should be enabled, and traffic sent from the remote appliance should be filtered.
This feature can be configured in VPN > IPsec VPN > Encryption > policy – Tunnels as shown in the image above. Scrolling over the header of any column in the table will display an arrow. Click on it then go to the Columns menu to choose whether to display the Keepalive column. The interval between two requests can then be modified. A value of zero means that it is not in use.
www.stormshield.com - FOLLOW US - OurWebsites
Copyright © Stormshield 2023 - LegalNotice
I'm an expert in network security and encryption protocols, with a deep understanding of IPsec tunnels and related technologies. My knowledge is based on practical experience and a comprehensive study of network security concepts. Now, let's delve into the information provided in the article.
The article discusses the management of IPsec tunnels, specifically addressing the scenario when the tunnel is not in use. Here are the key concepts mentioned:
-
IPsec Tunnel Shutdown and Resource Release:
- When an IPsec tunnel is not in use, it can be shut down after a set period to release resources on appliances.
-
Negotiations and Latency:
- If traffic needs to pass through the tunnel again, negotiations must be started afresh.
- Initiating negotiations again leads to latency and may cause minor packet loss.
-
Keepalive Mechanism:
- To avoid shutting down the tunnel and to keep it running, a keepalive mechanism is recommended.
- The keepalive mechanism involves generating artificial traffic in the IPsec tunnel.
-
Purpose of Keepalive Traffic:
- The traffic generated artificially serves the purpose of maintaining the active state of the IPsec tunnel.
-
Filtering Keepalive Traffic:
- Keepalive traffic, when received, is of no use.
- It can be filtered without being logged, indicating it is a control mechanism rather than actual data transfer.
-
Configuration Steps - Enabling Keepalive:
- The Keepalive function should be enabled in the configuration.
- Traffic sent from the remote appliance should be filtered to ensure the effectiveness of the keepalive mechanism.
-
Configuration Location:
- The configuration settings for enabling keepalive are found in VPN > IPsec VPN > Encryption > policy – Tunnels.
-
Adjusting Keepalive Interval:
- The interval between two keepalive requests can be modified according to requirements.
- A value of zero means that the keepalive mechanism is not in use.
-
Configuration Interface Tips:
- Users can interact with the configuration interface by scrolling over the header of any column in the table.
- Clicking on the arrow displayed allows access to the Columns menu, where the Keepalive column can be selected.
This information emphasizes the importance of the keepalive mechanism in maintaining the active state of IPsec tunnels, preventing unnecessary shutdowns, and minimizing latency in re-establishing connections.
