H3C Technologies H3C WX3000E Series Wireless Switches User Manual

356

Step Command

Remarks

5.

Enable and configure the

perfect forward secrecy
feature for the IPsec policy.

pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }

Optional.
By default, the PFS feature is not used

for negotiation.
For more information about PFS, see
"Configuring IKE."
During IKE negotiation for an IPsec
policy with PFS enabled, an

additional key exchange is
performed. If the local end uses PFS,

the remote end must also use PFS for

negotiation and both ends must use

the same Diffie-Hellman (DH) group.
Otherwise, the negotiation will fail.

6.

Configure the SA lifetime.

sa duration { time-based
seconds | traffic-based

kilobytes }

Optional.
By default, the global SA lifetime
settings are used.

7.

Set the anti-replay information
synchronization intervals in

IPsec stateful failover mode.

synchronization
anti-replay-interval inbound

inbound-number outbound

outbound-number

Optional.
By default, the inbound anti-replay
window information is synchronized

whenever 1000 packets are

received, and the outbound
anti-replay sequence number is

synchronized whenever 100000

packets are sent.
Support for this command depends
on the device model. For whether

your AC supports this command, see

the feature matrixes in About the WX

Series Access Controllers
Configuration Guides.

8.

Enable the IPsec policy.

policy enable

Optional.
Enabled by default.

9.

Return to system view.

quit

N/A