Follow

VPN On Demand (10.7.2+)

The VPN “On Demand” start option is introduced in firmware version 10.7.2 and allows the Ecessa device to bring up a VPN when interesting traffic is seen. This is different than the VPN behavior in prior firmware versions which only acted as an “always on” VPN.

 Here is an example of a site-to-site VPN:

vpn_example_diagram.png

The “always on” VPN will constantly monitor the VPN tunnel and if it detects the tunnel is down will attempt to re-initiate the tunnel to bring it back up. It does not matter if any LAN-to-LAN traffic is being passed between the VPN gateways at the time.

However, the On Demand option will not immediately bring up the VPN tunnels once the VPN Security Association is started/enabled, the VPN service is enabled, or the device is booted.

on_demand_running.png

Instead, the VPN will be in the “running” state and will listen for any interesting traffic - in this example, traffic between the local LAN of 192.168.1.0/24 and the remote LAN of 192.168.2.0/24. In the event such a packet is seen by the Ecessa device, it will immediately try to bring the tunnel up so that the encrypted traffic can flow.

on_demand_up.png

 The VPN can also be brought up manually by selecting the VPN and clicking the Start button. If the primary WAN link is down, the device will fail over and build the tunnel over the secondary WAN instead.

 

Why use On Demand instead of Always On?

 On Demand is useful when building a VPN with a Cisco or other vendors’ device which has connection timeouts or when it is preferred the VPN only gets built when it is necessary to pass the interesting traffic.

 

When can On Demand be used?

 

Single local, single remote WAN

Multiple local, single remote WANs

Single local, multiple remote WANs

Multiple local, multiple remote WANs

On Demand

       

 Ecessa-Non Ecessa VPN

 X

X

   

 Ecessa-Ecessa VPN

X

     

Always On

       

 Ecessa-Non Ecessa VPN

X

     

 Ecessa-Ecessa VPN

X

X

X

X



Can IKEv2 be used with On Demand?

Currently, On Demand can only be used with IKEv2 for single local, single remote WAN VPNs. IKEv1 is used for On Demand VPNs with multiple local WANs and single remote WAN. Always On VPNs support IKEv1 and IKEv2.

 

How is On Demand configured?

 On the main VPN page

 Confirm IPSec VPN Failover Testing is enabled:

vpn_failover_testing.png

 

On the VPN Security Association Basic page

 

Enable Dead Peer Clear under Dead Peer Detection Options section. The DPD timeout and number of test can be left as defaults or changed to match the other side of the VPN.

dpd_clear.png

 

Enable On Demand under the Start Option section

 on_demand.png

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.