Default: 86400 seconds
IKE Max CA Path
When the signature of a user certificate is verified, NetDefendOS looks at the issuer name field in
the user certificate to find the CA certificate the certificate was signed by. The CA certificate may in
turn be signed by another CA, which may be signed by another CA, and so on. Each certificate will
be verified until one that has been marked as "trusted" is found, or until it is determined that none of
the certificates are trusted.
If there are more certificates in this path than what this setting specifies, the user certificate will be
considered invalid.
Default: 15
IPsec Cert Cache Max Certs
Maximum number of certificates/CRLs that can be held in the internal certificate cache. When the
certificate cache is full, entries will be removed according to an LRU (Least Recently Used)
algorithm.
Default: 1024
IPsec Gateway Name Cache Time
Length of time in milliseconds to keep an IPsec tunnel open when the remote DNS name fails to
resolve.
Default: 14400
DPD Metric
The amount of time in tens of seconds that the peer is considered to be alive (reachable) since the
last received IKE message. This means that no DPD messages for checking aliveness of the peer
will be sent during this time even though no packets from the peer have been received during this
time.
In other words, the amount of time in tens of seconds that a tunnel is without traffic or any other
sign of life before the peer is considered dead. If DPD is due to be triggered but other evidence of
life is seen (such as IKE packets from the other side of the tunnel) within the time frame, no
DPD-R-U-THERE messages will be sent.
For example, if the other side of the tunnel has not sent any ESP packets for a long period but at
least one IKE-packet has been seen within the last (10 x the configured value) seconds, then
NetDefendOS will not send more DPD-R-U-THERE messages to the other side.
Default: 3 (in other words, 3 x 10 = 30 seconds)
DPD Keep Time
The amount of time in tens of seconds that a peer is assumed to be dead after NetDefendOS has
detected it to be so. While the peer is considered dead, NetDefendOS will not try to re-negotiate the
tunnel or send DPD messages to the peer. However, the peer will not be considered dead any more
as soon as a packet from it is received.
A more detailed explanation for this setting is that it is the amount of time in tens of seconds that an
SA will remain in the dead cache after a delete. An SA is put in the dead cache when the other side
9.4.6. IPsec Advanced Settings
Chapter 9. VPN
461
Содержание NetDefend DFL-1660
Страница 28: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 28 ...
Страница 88: ...2 6 3 Restore to Factory Defaults Chapter 2 Management and Maintenance 88 ...
Страница 166: ...3 10 DNS Chapter 3 Fundamentals 166 ...
Страница 254: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 254 ...
Страница 268: ...5 4 IP Pools Chapter 5 DHCP Services 268 ...
Страница 368: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 368 ...
Страница 390: ...7 4 7 SAT and FwdFast Rules Chapter 7 Address Translation 390 ...
Страница 414: ...8 3 Customizing Authentication HTML Pages Chapter 8 User Authentication 414 ...
Страница 490: ...9 8 6 Specific Symptoms Chapter 9 VPN 490 ...
Страница 528: ...10 4 6 Setting Up SLB_SAT Rules Chapter 10 Traffic Management 528 ...
Страница 544: ...11 7 HA Advanced Settings Chapter 11 High Availability 544 ...
Страница 551: ...12 3 5 Limitations Chapter 12 ZoneDefense 551 ...
Страница 574: ...Default 512 13 9 Miscellaneous Settings Chapter 13 Advanced Settings 574 ...
Страница 575: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 575 ...