H3C Technologies H3C SecPath F1000-E User Manual

167

Item Description

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the
feature. Options include:

•

dh-group1—Uses the 768-bit Diffie-Hellman group. In FIPS mode, dh-group1 is

not supported, and if selected, does not take effect.

•

dh-group2—Uses the 1024-bit Diffie-Hellman group.

•

dh-group5—Uses the 1536-bit Diffie-Hellman group.

•

dh-group14—Uses the 2048-bit Diffie-Hellman group.

IMPORTANT:

•

dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of
security and calculation time.

•

When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an

additional key exchange is performed in phase 2 for higher security.

•

Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL

Select an ACL for identifying protected traffic.
The specified ACL must be created already and contains at least one rule.
ACL configuration supports VPN multi-instance.
Make sure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

SA

Lifetime

Time Based

Enter the time-based and traffic-based SA lifetime values.

IMPORTANT:

When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally

and the lifetime proposed by the peer.

Traffic Based

Reverse Route Injection

Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static
route to the peer private network. You do not have to manually configure the static

route.

IMPORTANT:

•

If you enable IPsec RRI and do not configure the static route, the SA negotiation
must be initiated by the remote gateway.

•

IPsec RRI creates static routes when IPsec SAs are set up, and delete the static

routes when the IPsec SAs are deleted.

•

To view the static routes created by IPsec RRI, select Network > Routing

Management > Routing Info from the navigation tree.

Next Hop

Specify a next hop for the static routes.
If you do not specify any next hop, the remote tunnel endpoint’s address learned
during IPsec SA negotiation is used.

Priority

Change the preference of the static routes.
Change the route preference for equal-cost multipath (ECMP) routing or route
backup. If multiple routes to the same destination have the same preference, traffic

is balanced among them. If multiple routes to the same destination have different
preference values, the route with the highest preference forwards traffic and all

other routes are backup routes.