SonicWALL TZ 190 Manuale Utente
VPN > Advanced
583
SonicOS Enhanced 4.0 Administrator Guide
•
IKEv2 Dynamic Client Proposal - SonicOS Enhanced 4.0 introduces IKEv2 Dynamic
Client Support, which provides a way to configure the Internet Key Exchange (IKE)
attributes rather than using the default settings. Clicking the Configure button launches the
Configure IKEv2 Dynamic Client Proposal window.
Client Support, which provides a way to configure the Internet Key Exchange (IKE)
attributes rather than using the default settings. Clicking the Configure button launches the
Configure IKEv2 Dynamic Client Proposal window.
Previously, only the default settings were supported: Diffie-Hellman (DH) Group 2, the
3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the
following IKE Proposal settings:
3DES encryption algorithm, and the SHA1 authentication method. SonicOS now allows the
following IKE Proposal settings:
–
DH Group: 1, 2, or 5
–
Encryption: DES, 3DES, AES-128, AES-192, AES-256
–
Authentication: MD5, SHA1
However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPSec gateway is
defined, you cannot configure these IKE Proposal settings on an individual policy basis.
defined, you cannot configure these IKE Proposal settings on an individual policy basis.
Note
The VPN policy on the remote gateway must also be configured with the same
settings.
settings.
Using OCSP with SonicWALL Security Appliances
Online Certificate Status Protocol (OCSP) allows you to check VPN certificate status without
CRLs. This allows timely updates regarding the status of the certificates used on your
SonicWALL.
CRLs. This allows timely updates regarding the status of the certificates used on your
SonicWALL.
About OCSP
OCSP is designed to augment or replace Certificate Revocation Lists (CRL) in your Public Key
Infrastructure (PKI) or digital certificate system. The CRL is used to validate the digital
certificates comprised by the PKI. This allows the Certificate Authority (CA) to revoke
certificates before their scheduled expiration date and is useful in protecting the PKI system
against stolen or invalid certificates.
Infrastructure (PKI) or digital certificate system. The CRL is used to validate the digital
certificates comprised by the PKI. This allows the Certificate Authority (CA) to revoke
certificates before their scheduled expiration date and is useful in protecting the PKI system
against stolen or invalid certificates.
Certificate Revocation Lists main disadvantage is the need for frequent updates to keep the
CRL of every client current. These frequent updates greatly increase network traffic when the
complete CRL is downloaded by every client. Depending on the frequency of the CRL updates,
a period of time can exist when a certificate is revoked by the CRL but the client has not
received the CRL update and permits the certificate to be used.
CRL of every client current. These frequent updates greatly increase network traffic when the
complete CRL is downloaded by every client. Depending on the frequency of the CRL updates,
a period of time can exist when a certificate is revoked by the CRL but the client has not
received the CRL update and permits the certificate to be used.