Configuring ike dpd – H3C Technologies H3C SecPath F1000-E User Manual

127

Item

Description

DH Group

Select the DH group to be used in key negotiation phase 1. Options include:

•

Group1—Uses the 768-bit Diffie-Hellman group. This group is not available for

the FIPS mode.

•

Group2—Uses the 1024-bit Diffie-Hellman group. It is the default group in FIPS

mode.

•

Group5—Uses the 1536-bit Diffie-Hellman group.

•

Group14—Uses the 2048-bit Diffie-Hellman group.

SA Lifetime

Enter the ISAKMP SA lifetime of the IKE proposal.
Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up,

it takes effect immediately and the old one will be cleared automatically when it

expires.
In FIPS mode, IPsec requires IKE to negotiate a new SA when the current SA
expires. Then IKE responds to the request and actively initiates a negotiation.

IMPORTANT:

If the SA lifetime expires, the system automatically updates the ISAKMP SA. DH

calculation in IKE negotiation takes time, especially on low-end devices. Set the

lifetime greater than 10 minutes to prevent the SA update from influencing normal
communication.

Configuring IKE DPD

DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet, DPD checks the time

the last IPsec packet was received from the peer. If the time exceeds the DPD interval, it sends a DPD hello
to the peer. If the local end receives no DPD acknowledgement within the DPD packet retransmission

interval, it retransmits the DPD hello. If the local end still receives no DPD acknowledgement after having

made the maximum number of retransmission attempts (two by default), it considers the peer already

dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
To configure IKE DPD:

1.

Select VPN > IKE > DPD from the navigation tree.

Figure 85 DPD detector list