The following table describes the VPN connection attempt retries and time interval between them. After
giving up as listed below, the unit waits for "failure-retry-interval" and repeats the connection attempt
sequence.
Attempt#
1
st
2 (1
retry)
nd
3 (2
retry)
rd
4 (3
retry)
th
5 (4
retry)
th
6 (5
retry)
Give up
Wait for "failure-retry-interval", then repeat above sequence
During initial configuration set failure-retry-interval to lowest value of 1 min, to have Orbit attempt
connection more quickly. This allows debugging of any connection-related issue by watching logs on
peer side etc. Be sure to change this value to 5 minutes or higher to prevent excessive attempts and traffic.
Commit configuration to save the changes.
% commit
Following shows IKE policy configuration for public-key encryption based authentication method:
Create IKE policy with auth-method "public-key encryption".
1.
% set services vpn ike policy IKE-POLICY-1 auth-method pub-key
2.
Configure Public Key Infrastructure (PKI) security credentials.
d. Certificate type as "rsa" if RSA public key encryption based certificates are being used.
e. Client certificate ID – This is the ID that was assigned to the client certificate obtained via
SCEP or loaded manually (assumed to be ID-1).
f. Client private key ID – This is the ID that was assigned to the client private key generated
during SCEP procedure or loaded manually (assumed to be ID-1).
g. Certificate Authority (CA) certificate ID – This is the ID that was assigned to the CA certificate
obtained via SCEP or loaded manually (assumed to be CA-1).
% set services vpn ike policy IKE-POLICY-1 pki cert-type rsa
% set services vpn ike policy IKE-POLICY-1 pki cert-id ID-1
% set services vpn ike policy IKE-POLICY-1 pki key-id ID-1
% set services vpn ike policy IKE-POLICY-1 pki ca-cert-id CA-1
Firewall Configuration
The VPN wizard automatically configures the firewall to allow incoming and outgoing IKE/IPsec traffic
over the Cell/WAN interface. However, when VPN is configured manually via Services->VPN->Basic
Config menu or via CLI, the firewall needs to be manually configured as well:
1. Add following rules to IN_UNTRUSTED filter that is applied to the Cell interface in the incoming
direction:
% set services firewall filter IN_UNTRUSTED rule 1 match protocol icmp
260
Table 3-19. VPN Connection Retry
Relative Timeout
Between Attempts (secs)
0
4
7
13
23
42
76
MDS Orbit MCR/ECR Technical Manual
Absolute Timeout
From First Attempt (secs)
0
4
11
24
47
89
165
MDS 05-6632A01, Rev. F