D-Link DFL-260E User Manual page 428
Network security firewall netdefendos version 2.27.03
Hide thumbs
Also See for DFL-260E:
- Reference manual (948 pages) ,
- Log reference manual (652 pages) ,
- User manual (589 pages)
Table of Contents
Advertisement
9.4.6. IPsec Advanced Settings
Chapter 9. VPN
Specifies the total number of IPsec tunnels allowed. This value is initially taken from the maximum
tunnels allowed by the license. The setting is used by NetDefendOS to allocate memory for IPsec. If
it is desirable to have less memory allocated for IPsec then this setting can be reduced. Increasing
the setting cannot override the license limit.
A warning log message is generated automatically when 90% of this setting's value is reached.
Default: The limit specified by the license
IKE Send Initial Contact
Determines whether or not IKE should send the "Initial Contact" notification message. This message
is sent to each remote endpoint when a connection is opened to it and there are no previous IPsec
SA using that gateway.
Default: Enabled
IKE Send CRLs
Dictates whether or not CRLs (Certificate Revocation Lists) should be sent as part of the IKE
exchange. Should typically be set to ENABLE except where the remote peer does not understand
CRL payloads.
Note that this setting requires a restart to take effect.
Default: Enabled
IPsec Before Rules
Pass IKE and IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without
consulting the rule set.
Default: Enabled
IKE CRL Validity Time
A CRL contains a "next update" field that dictates the time and date when a new CRL will be
available for download from the CA. The time between CRL updates can be anything from a few
hours and upwards, depending on how the CA is configured. Most CA software allow the CA
administrator to issue new CRLs at any time, so even if the "next update" field says that a new CRL
is available in 12 hours, there may already be a new CRL for download.
This setting limits the time a CRL is considered valid. A new CRL is downloaded when
IKECRLVailityTime expires or when the "next update" time occurs. Whichever happens first.
Default: 86400 seconds
IKE Max CA Path
When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in
the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in
turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will
be verified until one that has been marked as "trusted" is found, or until it is determined that none of
the certificates are trusted.
If there are more certificates in this path than what this setting specifies, the user certificate will be
considered invalid.
Default: 15
428
- Quick Links:
- The Web Interface
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
