beautypg.com

Amer Networks E5Web GUI User Manual

Page 616

background image

turn be signed by another CA, which may be signed by another CA, and so on. Each certificate
will be verified until one that has been marked as "trusted" is found, or until it is determined that
none of the certificates are trusted.

If there are more certificates in this path than what this setting specifies, the user certificate will
be considered invalid.

Default: 15

IPsec Cert Cache Max Certs

Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used)
algorithm.

Default: 1024

IPsec Gateway Name Cache Time

Length of time in milliseconds to keep an IPsec tunnel open when the remote DNS name fails to
resolve.

Default: 14400

Enable AES-NI acceleration

If the underlying hardware platform supports AES-NI, this setting should be enabled to
significantly speed throughput when AES encryption is used. This is usually only relevant to cOS
Core running in a virtual environment such as VMware or KVM. After enabling it, cOS Core must
be rebooted for this option to take effect.

This setting has no effect if either Inline or Coprocessor hardware acceleration is available as cOS
Core will always either of these instead. However, these can be explicitly disabled using the IPsec
Hardware Acceleration
setting below, forcing AES-NI to be used.

To check if the underlying platform supports AES-NI, use the CLI command:

Device:/> cpuid

If AES-NI is supported, aes will appear in the Feature flags list in the output from the command.
This command can be used when running cOS Core under a hypervisor.

Default: No

IPsec Hardware Acceleration

This determines what type of IPsec acceleration should be used. Normally this setting should be
left at the default value of Inline. cOS Core will always use the fastest acceleration possible with
Inline being the quickest, followed by Coprocessor.

The value None should be explicitly chosen if cOS Core is to be forced to use AES-NI acceleration
even though Inline or Coprocessor acceleration is available.

The available hardware acceleration can be queried using the following CLI command:

Device:/> cryptostat

Chapter 9: VPN

616

This manual is related to the following products: