D-Link NetDefend DFL-210 User Manual page 381

9.4.6. IPsec Advanced Settings
Chapter 9. VPN
When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in
the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in
turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will
be verified until one that has been marked as "trusted" is found, or until it is determined that none of
the certificates are trusted.
If there are more certificates in this path than what this setting specifies, the user certificate will be
considered invalid.
Default: 15
IPsec Cert Cache Max Certs
Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used)
algorithm.
Default: 1024
IPsec Gateway Name Cache Time
Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used)
algorithm.
Default: 1024
DPD Metric
The amount of time in tens of seconds that the peer is considered to be alive (reachable) since the
last received IKE message. This means that no DPD messages for checking aliveness of the peer
will be sent during this time even though no packets from the peer have been received during this
time.
In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other
sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of
life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no
DPD-R-U-THERE messages will be sent.
For example, if the other side of the tunnel has not sent any ESP packets for a long period but at
least one IKE-packet has been seen within the last (10 x the configured value) seconds, then
NetDefendOS will not send more DPD-R-U-THERE messages to the other side.
Default: 3 (in other words, 3 x 10 = 30 seconds)
DPD Keep Time
The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has
detected it to be so. While the peer is considered dead, NetDefendOS will not try to re-negotiate the
tunnel or send DPD messages to the peer. However, the peer will not be considered dead any more
as soon as a packet from it is received.
A more detailed explanation for this setting is that it is the amount of time in tens of seconds that an
SA will remain in the dead cache after a delete. An SA is put in the dead cache when the other side
of the tunnel has not responded to DPD-R-U-THERE messages for DPD Expire Time x 10 seconds
and there is no other evidence of life. When the SA is placed in the dead cache, NetDefendOS will
not try to re-negotiate the tunnel. If traffic that is associated with the SA that is in the dead cache is
received, the SA will be removed from the dead cache. DPD will not trigger if the SA is already
cached as dead.
381