224 Chapter 13 VPNNN47922-500Table 56 describes the fields in Figure 72.Table 56 VPN Branch Office rule setupLabel DescriptionConnection Type Select Branch Office to manually configure a VPN rule.Select Contivity Client to use a simple VPN rule that lets youdefine and store connection information for accessing yourcorporate network through a VPN switch. You can only configureone Contivity client rule.If you want to set the Contivity Client rule to active, you must setall other VPN rules to inactive.Active Select this check box to activate this VPN tunnel. This optiondetermines whether a VPN rule is applied.Nailed Up Select this check box to turn on the nailed up feature for this SA.Turn on nailed up to have the Business Secure Routerautomatically reinitiate the SA after the SA lifetime times out, evenif there is no traffic. The Business Secure Router also reinitiatesthe SA when it restarts.NAT Traversal Select this check box to enable NAT traversal. With NATtraversal, you can set up a VPN connection when there are NATrouters between the two VPN switches.The remote VPN switch must also have NAT traversal enabled.You can use NAT traversal with ESP protocol using Transport orTunnel mode, but not with AH protocol. In order for a VPN switchbehind a NAT router to receive an initiating IPSec packet, set theNAT router to forward UDP port 500 to the VPN switch behind theNAT router.Name Type a name to identify this VPN policy. You can use anycharacter, including spaces, but the Business Secure Routerdrops trailing spaces.Key Management Your Business Secure Router uses IKE (ISAKMP) keymanagement in order to set up a VPN.Negotiation Mode Select Main for identity protection. Select Aggressive to allowmore incoming connections from dynamic IP addresses to useseparate passwords. Multiple SAs connecting through a VPNswitch must have the same negotiation mode.Encapsulation Mode Select Tunnel mode or Transport mode from the drop-down list.Tunnel is compatible with NAT, Transport is not.