Ipsec Settings - D-Link NetDefend DFL-210 User Manual

Network security firewall ver. 1.05
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

13.13. IPsec Settings

13.13. IPsec Settings
IKESendInitialContact
Determines whether or not IKE should send the "Initial Contact" notification message. This message
is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA
using that gateway.
Default: Enabled
IKESendCRLs
Dictates whether or not CRLs (Certificate Revocation Lists) should be sent as part of the IKE ex-
change. Should typically be set to ENABLE except where the remote peer does not understand CRL
payloads.
Default: Enabled
IKECRLValidityTime
A CRL contains a "next update" field that dictates the time and date when a new CRL will be avail-
able for download from the CA. The time between CRL updates can be anything from a few hours
and upwards, depending on how the CA is configured. Most CA software allow the CA administrat-
or to issue new CRLs at any time, so even if the "next update" field says that a new CRL is available
in 12 hours, there may already be a new CRL for download.
This setting limits the time a CRL is considered valid. A new CRL is downloaded when
IKECRLVailityTime expires or when the "next update" time occurs. Whichever happens first.
Default: 90000
IKEMaxCAPath
When the signature of a user certificate is verified, NetDefendOS looks at the 'issuer name' field in
the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in
turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will
be verified until one that has been marked trusted is found, or until it is determined that none of the
certificates were trusted.
If there are more certificates in this path than what this setting specifies, the user certificate will be
considered invalid.
Default: 15
IPsecCertCacheMaxCerts
Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used) al-
gorithm.
Default: 1024
IPsecBeforeRules
Pass IKE & IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without con-
sulting the rule-set.
Default: Enabled
265
Chapter 13. Advanced Settings

Advertisement

Table of Contents
loading

Table of Contents