H3C Technologies H3C MSR 50 User Manual

7

Item Description

ESP Encryption
Algorithm

Select the encryption algorithm for ESP when you select ESP or AH-ESP for Security
Protocol. Options include:

•

3DES—Uses the 3DES algorithm and 168-bit key for encryption.

•

DES—Uses the DES algorithm and 56-bit key for encryption.

•

AES128—Uses the AES algorithm and 128-bit key for encryption.

•

AES192—Uses the AES algorithm and 192-bit key for encryption.

•

AES256—Uses the AES algorithm and 256-bit key for encryption.

•

NULL—Performs no encryption.

IMPORTANT:

•

Higher security means more complex implementation and lower speed. DES is

enough to meet general requirements. Use 3DES when high confidentiality and

security are required.

•

The ESP authentication algorithm and ESP encryption algorithm cannot be null at

the same time.

•

The device supports only 56-bit encryption for Russia.

Encapsulation Mode

Select the IP packet encapsulation mode. Options include:

•

Tunnel—Uses the tunnel mode.

•

Transport—Uses the transport mode.

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.
Options include:

•

None—Disables PFS.

•

Diffie-Hellman Group1—Enables PFS and uses the 768-bit Diffie-Hellman group.

•

Diffie-Hellman Group2—Enables PFS and uses the 1024-bit Diffie-Hellman group.

•

Diffie-Hellman Group5—Enables PFS and uses the 1536-bit Diffie-Hellman group.

•

Diffie-Hellman Group14—Enables PFS and uses the 2048-bit Diffie-Hellman group.

IMPORTANT:

•

DH Group14, DH Group5, DH Group2, and DH Group1 are in the descending

order of security and calculation time.

•

When IPsec uses an IPsec connection with PFS configured to initiate negotiation, an

additional key exchange is performed in phase 2 for higher security.

•

Two peers must use the same Diffie-Hellman group. Otherwise, negotiation fails.

SA Lifetime

Enter the IPsec SA lifetime, which can be time-based or traffic-based.

IMPORTANT:

When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set

locally and the lifetime proposed by the peer.

DPD

Enables or disables IKE DPD.
DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet,
DPD checks the time the last IPsec packet was received from the peer. If the time

exceeds the DPD interval, it sends a DPD hello to the peer. If the local end receives no

DPD acknowledgement within the DPD packet retransmission interval, it retransmits the
DPD hello. If the local end still receives no DPD acknowledgement after having made

the maximum number of retransmission attempts (two by default), it considers the peer

already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

DPD Query
Triggering Interval

Enter the interval after which DPD is triggered if no IPsec protected packets is received
from the peer.