beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 182

background image

170

Item Description

IPSec Proposal

Select up to six IPsec proposals for the IPsec policy.
IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec

proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be
established and the packets that need to be protected are discarded.

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the
feature. Options include:

dh-group1—Uses the 768-bit Diffie-Hellman group. In FIPS mode, dh-group1 is

not supported, and if selected, does not take effect.

dh-group2—Uses the 1024-bit Diffie-Hellman group.

dh-group5—Uses the 1536-bit Diffie-Hellman group.

dh-group14—Uses the 2048-bit Diffie-Hellman group.

IMPORTANT:

dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of
security and calculation time.

When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an

additional key exchange is performed in phase 2 for higher security.

Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL

Select an ACL for identifying protected traffic.
Make sure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

Aggregation

Select this option if you are using one tunnel to protect all data flows permitted by
the ACL. If you do not select the aggregation mode, the standard mode applies

and one tunnel is set up for each data flow permitted by the ACL.
This configuration item is available after you specify an ACL.

IMPORTANT:

The two ends of a tunnel must work in the same mode.

SA
Lifetime

Time Based

Enter the time-based and traffic-based SA lifetime values.

IMPORTANT:

When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally

and the lifetime proposed by the peer.

Traffic Based

Reverse Route Injection

Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop
and change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static

route to the peer private network. You do not have to manually configure the static

route.

IMPORTANT:

If you enable IPsec RRI and do not configure the static route, the SA negotiation
must be initiated by the remote gateways.

IPsec RRI creates static routes when IPsec SAs are set up, and delete the static

routes when the IPsec SAs are deleted.

To view the static routes created by IPsec RRI, select Network > Routing

Management > Routing Info from the navigation tree.