Setting local user password control parameters, Ike configuration prerequisites, Ike configuration task list – H3C Technologies H3C S12500-X Series Switches User Manual

Page 165: Protocols and standards

153

479B

PFS

The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After PFS is

enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys have no
derivative relations with IKE keys and a broken key brings no threats to other keys.

253B

Protocols and standards

•

RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)

•

RFC 2409, The Internet Key Exchange (IKE)

•

RFC 2412, The OAKLEY Key Determination Protocol

100B

IKE configuration prerequisites

Determine the following parameters prior to IKE configuration:

•

The algorithms to be used during IKE negotiation, including the identity authentication method,
encryption algorithm, authentication algorithm, and DH group.

{

Different algorithms provide different levels of protection. A stronger algorithm provides more
resistance to decryption but uses more resources.

{

A DH group that uses more bits provides higher security but needs more time for processing.

•

The pre-shared key for IKE negotiation.

•

The IKE-based IPsec policies for the communicating peers. If an IPsec policy does not reference any
IKE profile, the device selects an IKE profile for the IPsec policy. If no IKE profile is configured, the

globally configured IKE settings are used. For more information about IPsec, see "

860H

Configuring

IPsec

101B

IKE configuration task list

Tasks at a glance

Remarks

(Optional.)

861H

Configuring an IKE profile

N/A

(Optional.)

862H

Configuring an IKE proposal

Required when the IKE profile needs to
reference IKE proposals.

(Optional.)

863H

Configuring an IKE keychain

Required when pre-shared authentication is
used in IKE negotiation phase 1.

(Optional.)

864H

Configuring the global identity information

N/A

(Optional.)

865H

Configuring the IKE keepalive function

N/A

(Optional.)

866H

Configuring the IKE NAT keepalive function

N/A

(Optional.)

867H

Configuring IKE DPD

N/A

(Optional.)

868H

Enabling invalid SPI recovery

N/A

(Optional.)

869H

Setting the maximum number of IKE SAs

N/A

(Optional.)

870H

Configuring SNMP notifications for IKE

N/A

This manual is related to the following products:

H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches