Chapter 6 IP security and VPN 187Using the BayStack Instant Internet Management Software Version 7.11This situation occurs due to a limitation of the IPsec protocol; however, there aretwo ways you can work around this limitation:• Maintain traffic in the tunnel in both directions on a relatively constant basis.This option is possible only when the dial-up connection can exist at all times.One way to maintain traffic is to send a ping command back and forth fromeach gateway’s network to the other.• Reduce the VPN connection timeout. By using shorter timeouts, you candetermine the maximum amount of time required for the system to recover.Before you implement this solution, consider that substantial computationaloverhead is required. For example, an Instant Internet unit model 100 requiresapproximately 11 seconds to perform the phase 1 negotiation, so every timethe primary tunnel is re-keyed, traffic is interrupted for that amount of time(on the model 400 unit this process requires approximately one second).• Use a ping to monitor or control the tunnel (refer to “Using Pings” onpage 173).Tunnel timeoutsThe Instant Internet unit’s IPsec feature performs all communications across aSecurity Association (SA), also referred to as a tunnel. An SA is negotiated usingInternet Key Exchange (IKE) standards using two main types of negotiation,phase 1 and phase 2, and a timeout (specified by time or amount of data) isassociated with each SA. When this timeout expires, the SA is no longer valid anda new one must be negotiated if needed. The phase 1 negotiation uses a verysecure algorithm that establishes secure communications between the gateways(the Instant Internet unit and the CES) but does not refer to any specific tunnel.When phase 1 is complete, additional SAs are negotiated using the phase 2protocol, with the keys exchanged across the secure phase 1 tunnel. These SAsrefer to specific network pairs.Note: The phase 1 negotiation timeout is controlled on the CES with theForced Logoff parameter, whereas a subnet tunnel is controlled by there-key timeout.