IP Security - Virtual Private Network
Left running head:
Chapter name (automatic)
826
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
T
O CONFIGURE A STRICT CRL POLICY
By default, the OmniAccess 5740 USG has a lenient CRL policy, i.e., even if the
CRL is not present (not imported) or expired, the peer's certificate will be
accepted. There is an option of making this CRL policy strict.
E
XAMPLE
ALU(config)# crypto crl-check strict
ALU(config)# no crypto crl-check strict
T
O IMPORT A PEER’S SELF-SIGNED CERTIFICATE
The peer’s self-signed certificate can be imported to override the CA check. This
can be done if the peer is not enrolled with any of the trusted CAs and if the peer
is trusted. Thus one does not have to rely on the certificate to be transmitted by
the peer as part of the IKE protocol.
E
XAMPLE
ALU(config)# crypto peer-certificate cert_Bouvier import ftp:
Command (in CM) Description
crypto crl-check strict This command makes the CRL policy
strict.
It ensures that if no CRL is present or if
the CRL is already expired, then no
negotiation takes place until a new CRL
is imported.
no crypto crl-check strict This command makes the CRL policy
lenient.
Command (in CM) Description
crypto peer-certificate <name>
import {<certificate-content>
|fpkey <file-path>|ftp:|tftp:
|http:|https:|scp:}
This command imports trusted peer
certificates in the OmniAccess 5740
USG.
You also have an option to directly enter
or paste the certificate after the
command. Enter up to 80 characters on
a line. Enter a blank line to exit.
Note: Currently, SCP option is not
supported.
To Next Page
Loading...
Need help?
General
