DF Bit Functionality

Pending Mode

Once you have authenticated against the parent CA in your XSR certificate chain, you then enroll the XSR's IPSec client certificate against the CA using the SCEP enroll command. Depending on how your CA administrator has configured the CA, you may or may not immediately receive your IPSec client certificate when you first enroll. If the CA has been configured to use pending mode, the CA administrator must manually issue or deny your request. The CA administrator may take certain steps to verify that the enrollment request is valid, such as calling the system administrator. This process may take a number of hours or days.

When pending mode is configured, the XSR will log that the operation is pending, and will automatically poll for the certificate three times at five-minute intervals. The number of polls and the interval between polls is adjustable using CLI commands under Crypto Identity configuration mode. This assumes that the CA administrator will issue or deny the XSR enrollment request within a 15-minute window.

Once retries are exhausted, the enrollment becomes invalid and you must enroll again. Each poll request and its result are logged in detail by the XSR. Ask your CA administrator what these values should be.

Enroll Password

Another way to validate an enrollment request is to ask the CA administrator to issue a specific password for enrollment. This can either be done manually or through a Web page at the CA. If you are required to provide a specific password for the enrollment, you must use that password or your enrollment will fail. If you are allowed to create your own password, be sure to remember it because it is required if you ever wish to revoke a certificate.

CRL Retrieval

As mentioned earlier, a CRL must be retrieved for any IPSec client certificate the XSR uses for authentication. This is done automatically by the

XSR whenever a new certificate is encountered and on a maintenance cycle that by default occurs every 60 minutes. Depending on your CA's configuration, you may want to adjust how frequently your maintenance task runs. Ask your CA administrator what this value should be set to.

Renewing and Revoking Certificates

A certificate has an expiration date. Additionally, certificates can be revoked at the CA before their expiration time is reached. When a certificate expires, the XSR must be re-authenticated for CA certificates or re-enrolled for its IPSec client certificate: this is not an automatic process.

Only the CA administrator can revoke a certificate - the password used to create the certificate during enrollment is required to revoke it. Revoked certificates will appear in the next CRL. Discuss these periods and strategies with your CA administrator.

DF Bit Functionality

The XSR’s DF bit override feature with IPSec tunnels configures the setting of the DF bit when encapsulating tunnel mode IPSec traffic. If the DF bit is set to clear, the XSR can fragment packets regardless of the original DF bit setting. The DF (Don't Fragment) bit within the IP header determines whether a router is allowed to fragment a packet.

XSR User’s Guide 14-9

Page 331
Image 331
Enterasys Networks X-PeditionTM manual DF Bit Functionality, Pending Mode, Enroll Password, CRL Retrieval