D-Link DFL-260E User Manual for DFL-260E - Page 455
IKE Max CA Path, IPsec Cert Cache Max Certs, IPsec Gateway Name Cache Time, DPD Metric, DPD Keep Time
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 455 highlights
9.4.6. IPsec Advanced Settings Chapter 9. VPN Default: 86400 seconds IKE Max CA Path When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will be verified until one that has been marked as "trusted" is found, or until it is determined that none of the certificates are trusted. If there are more certificates in this path than what this setting specifies, the user certificate will be considered invalid. Default: 15 IPsec Cert Cache Max Certs Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the certificate cache is full, entries will be removed according to an LRU (Least Recently Used) algorithm. Default: 1024 IPsec Gateway Name Cache Time Length of time in milliseconds to keep an IPsec tunnel open when the remote DNS name fails to resolve. Default: 14400 DPD Metric The amount of time in tens of seconds that the peer is considered to be alive (reachable) since the last received IKE message. This means that no DPD messages for checking aliveness of the peer will be sent during this time even though no packets from the peer have been received during this time. In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no DPD-R-U-THERE messages will be sent. For example, if the other side of the tunnel has not sent any ESP packets for a long period but at least one IKE-packet has been seen within the last (10 x the configured value) seconds, then NetDefendOS will not send more DPD-R-U-THERE messages to the other side. Default: 3 (in other words, 3 x 10 = 30 seconds) DPD Keep Time The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has detected it to be so. While the peer is considered dead, NetDefendOS will not try to re-negotiate the tunnel or send DPD messages to the peer. However, the peer will not be considered dead any more as soon as a packet from it is received. A more detailed explanation for this setting is that it is the amount of time in tens of seconds that an SA will remain in the dead cache after a delete. An SA is put in the dead cache when the other side 455