Ipsec settings, Ikesendinitialcontact, Ikesendcrls – D-Link DFL-2500 User Manual
Page 328: Ikecrlvaliditytime, Ikemaxcapath, Ipseccertcachemaxcerts, Ipsecbeforerules
13.13. IPsec Settings
IKESendInitialContact
Determines whether or not IKE should send the "Initial Contact" notification message. This message
is sent to each remote gateway when a connection is opened to it and there are no previous IPsec SA
using that gateway.
Default: Enabled
IKESendCRLs
Dictates whether or not CRLs (Certificate Revocation Lists) should be sent as part of the IKE
exchange. Should typically be set to ENABLE except where the remote peer does not understand
CRL payloads.
Default: Enabled
IKECRLValidityTime
A CRL contains a "next update" field that dictates the time and date when a new CRL will be
available for download from the CA. The time between CRL updates can be anything from a few
hours and upwards, depending on how the CA is configured. Most CA software allow the CA
administrator to issue new CRLs at any time, so even if the "next update" field says that a new CRL
is available in 12 hours, there may already be a new CRL for download.
This setting limits the time a CRL is considered valid. A new CRL is downloaded when
IKECRLVailityTime expires or when the "next update" time occurs. Whichever happens first.
Default: 90000
IKEMaxCAPath
When the signature of a user certificate is verified, NetDefendOS looks at the 'issuer name' field in
the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in
turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will
be verified until one that has been marked trusted is found, or until it is determined that none of the
certificates were trusted.
If there are more certificates in this path than what this setting specifies, the user certificate will be
considered invalid.
Default: 15
IPsecCertCacheMaxCerts
Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used)
algorithm.
Default: 1024
IPsecBeforeRules
Pass IKE & IPsec (ESP/AH) traffic sent to NetDefendOS directly to the IPsec engine without
consulting the rule set.
Default: Enabled
13.13. IPsec Settings
Chapter 13. Advanced Settings
328