Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
271272273274275276277278279280
XSR Users Guide 239
Chapter 11 DF Bit Functionality
Configuring the Virtual Private Network
Once retries are exhausted, the enrollment becomes invalid and you must
enroll again - each poll request and its result are logged in detail by the XSR.
Ask your CA administrator what these values should be set to.
Enroll Password
Another way to verify where the IPSec client enroll derives from is to have the
CA administrator issue a specific password for your enrollment. This can either
be done manually or through a Web page at the CA. If you are required to
provide a specific password for the enrollment you must use that password or
your enrollment will fail. If you are allowed to create your own password, be sure
to remember it because it is required if you ever wish to revoke a certificate.
CRL Retrieval
As mentioned earlier, a CRL must be retrieved for any IPSec client certificate
the XSR uses for authentication. This is done automatically by the
XSR whenever a new certificate is encountered and on a maintenance cycle
that by default occurs every 60 minutes. Depending on your CA's
configuration, you may want to adjust how frequently your maintenance task
runs. Ask your CA administrator what this value should be set to.
Renewing and Revoking Certificates
A certificate has a specific lifetime and will eventually expire. Additionally,
certificates can be revoked at the CA before their expiration time is reached.
When a certificate expires, the XSR must re-authenticate for CA certificates, or
re-enroll for its IPSec client certificate: this is not an automatic process.
Only the CA administrator can revoke a certificate - the password used to
create the certificate during enrollment is required to revoke it. Revoked
certificates will appear on the next CRL. Discuss these periods and strategies
with your CA administrator.
DF Bit Functionality
The XSR’s DF bit override feature with IPSec tunnels configures the setting of
the DF bit when encapsulating tunnel mode IPSec traffic. If the DF bit is set to
clear, the XSR can fragment packets regardless of the original DF bit setting.
The DF (Don't Fragment) bit within the IP header determines whether a
router is allowed to fragment a packet.