D-Link DFL-860E User Manual for DFL-260E - Page 454
IPsec Max Tunnels, IKE Send Initial Contact, IKE Send CRLs, IPsec Before Rules, IKE CRL Validity Time
View all D-Link DFL-860E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 454 highlights
9.4.6. IPsec Advanced Settings Chapter 9. VPN This specifies the total number of IP rules that can be connected to IPsec tunnels. By default this is initially approximately 4 times the licensed IPsecMaxTunnels and system memory for this is allocated at startup. By reducing the number of rules, memory requirements can be reduced but making this change is not recommended. IPsec Max Rules will always be reset automatically to be approximately 4 times IPsec Max Tunnels if the latter is changed. This linkage is broken once IPsec Max Rules is altered manually so that subsequent changes to IPsec Max Tunnels will not cause an automatic change in IPsec Max Rules. Default: 4 times the license limit of IPsec Max Tunnels IPsec Max Tunnels Specifies the total number of IPsec tunnels allowed. This value is initially taken from the maximum tunnels allowed by the license. The setting is used by NetDefendOS to allocate memory for IPsec. If it is desirable to have less memory allocated for IPsec then this setting can be reduced. Increasing the setting cannot override the license limit. A warning log message is generated automatically when 90% of this setting's value is reached. Default: The limit specified by the license IKE Send Initial Contact Determines whether or not IKE should send the "Initial Contact" notification message. This message is sent to each remote endpoint when a connection is opened to it and there are no previous IPsec SA using that gateway. Default: Enabled IKE Send CRLs Dictates whether or not CRLs (Certificate Revocation Lists) should be sent as part of the IKE exchange. Should typically be set to ENABLE except where the remote peer does not understand CRL payloads. Note that this setting requires a restart to take effect. Default: Enabled IPsec Before Rules Pass IKE and IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without consulting the rule set. Default: Enabled IKE CRL Validity Time A CRL contains a "next update" field that dictates the time and date when a new CRL will be available for download from the CA. The time between CRL updates can be anything from a few hours and upwards, depending on how the CA is configured. Most CA software allow the CA administrator to issue new CRLs at any time, so even if the "next update" field says that a new CRL is available in 12 hours, there may already be a new CRL for download. This setting limits the time a CRL is considered valid. A new CRL is downloaded when IKECRLVailityTime expires or when the "next update" time occurs. Whichever happens first. 454