beautypg.com

H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 882

background image

861

Item Description

Template

Select an IPsec policy template.

IMPORTANT:

If you select an IPsec policy template, all subsequent configuration items except the

aggregation setting are unavailable.

IKE Peer

Select an IKE peer for the IPsec policy.
You configure IKE peers by selecting VPN > IKE from the navigation tree.

IPSec Proposal

Select up to six IPsec proposals for the IPsec policy.
IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec

proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be established
and the packets that need to be protected are discarded.

PFS

Enable and configure the PFS feature or disable the feature. Options include:

dh-group1—Uses the 768-bit Diffie-Hellman group.

dh-group2—Uses the 1024-bit Diffie-Hellman group.

dh-group5—Uses the 1536-bit Diffie-Hellman group.

dh-group14—Uses the 2048-bit Diffie-Hellman group.

IMPORTANT:

dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of

security and calculation time.

When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an

additional key exchange is performed in phase 2 for higher security.

Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL

Select an ACL for identifying protected traffic.
Make sure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

Aggregation

Select this option if you are using one tunnel to protect all data flows permitted by the
ACL. If you do not select the aggregation mode, the standard mode applies and one

tunnel is set up for each data flow permitted by the ACL.
This configuration item is available after you specify an ACL.

IMPORTANT:

The two ends of a tunnel must operate in the same mode.

SA
Lifetime

Time
Based

Enter the time-based and traffic-based SA lifetime values.

IMPORTANT:

When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally and

the lifetime proposed by the peer.

Traffic
Based

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: