The VPN “On Demand” start option is introduced in firmware version 10.7.2 and allows the Ecessa device to bring up a VPN when interesting traffic is seen. This is different than the VPN behavior in prior firmware versions which only acted as an “always on” VPN.
Here is an example of a site-to-site VPN:
The “always on” VPN will constantly monitor the VPN tunnel and if it detects the tunnel is down will attempt to re-initiate the tunnel to bring it back up. It does not matter if any LAN-to-LAN traffic is being passed between the VPN gateways at the time.
However, the On Demand option will not immediately bring up the VPN tunnels once the VPN Security Association is started/enabled, the VPN service is enabled, or the device is booted.
Instead, the VPN will be in the “running” state and will listen for any interesting traffic - in this example, traffic between the local LAN of 192.168.1.0/24 and the remote LAN of 192.168.2.0/24. In the event such a packet is seen by the Ecessa device, it will immediately try to bring the tunnel up so that the encrypted traffic can flow.
The VPN can also be brought up manually by selecting the VPN and clicking the Start button. If the primary WAN link is down, the device will fail over and build the tunnel over the secondary WAN instead.
Why use On Demand instead of Always On?
On Demand is useful when building a VPN with a Cisco or other vendors’ device which has connection timeouts or when it is preferred the VPN only gets built when it is necessary to pass the interesting traffic.
When can On Demand be used?
Single local, single remote WAN |
Multiple local, single remote WANs |
Single local, multiple remote WANs |
Multiple local, multiple remote WANs |
|
On Demand |
||||
Ecessa to non-Ecessa VPN |
X |
X |
||
Ecessa to Ecessa VPN |
X |
|||
Always On |
||||
Ecessa to non-Ecessa VPN |
X |
|||
Ecessa to Ecessa VPN |
X |
X |
X |
X |
Can IKEv2 be used with On Demand?
Currently, On Demand can only be used with IKEv2 for single local, single remote WAN VPNs. IKEv1 is used for On Demand VPNs with multiple local WANs and single remote WAN. Always On VPNs support IKEv1 and IKEv2.
How is On Demand configured?
On the main VPN page
Confirm IPSec VPN Failover Testing is enabled:
On the VPN Security Association Basic page
Enable Dead Peer Clear under Dead Peer Detection Options section. The DPD timeout and number of test can be left as defaults or changed to match the other side of the VPN.
Enable On Demand under the Start Option section
0 Comments