13-8 VPN Screens317517-A Rev 0013.6 Keep AliveWhen you initiate an IPSec tunnel with keep alive enabled, the Contivity 221 automaticallyrenegotiates the tunnel when the IPSec SA lifetime period expires (see section 13.14 for more onthe IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after youinitiate it. Both VPN switches must have a Contivity 221-compatible keep alive feature enabled inorder for this feature to work.If the Contivity 221 has its maximum number of simultaneous IPSec tunnels connected to it andthey all have keep alive enabled, then no other tunnels can take a turn connecting to the Contivity221 because the Contivity 221 never drops the tunnels that are already connected. Your Contivity221 model can support 5 simultaneous IPSec SAs.No matter whether or not keep alive is set, when there is outbound traffic with noinbound traffic, the Contivity 221 automatically drops the tunnel after two minutes.13.7 NAT TraversalNAT traversal allows you to set up a VPN connection when there are NAT routers between the twoVPN switches.Figure 13-3 NAT Router Between VPN SwitchesNormally you cannot set up a VPN connection with a NAT router between the two VPN switchesbecause the NAT router changes the header of the IPSec packet. In the previous figure, VPNswitch A sends an IPSec packet in an attempt to initiate a VPN. The NAT router changes the IPSecpacket’s header so it does not match the header for which VPN switch B is checking. Therefore,VPN switch B does not respond and the VPN connection cannot be built.NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet. The NATrouter forwards the IPSec packet with the UDP port 500 header unchanged. VPN switch B checksthe UDP port 500 header and responds. VPN switches A and B build a VPN connection.