H3C Technologies H3C SecPath F1000-E User Manual
Page 192
180
Step Command
Remark
6.
Specify an IKE peer for the
IPsec policy.
ike-peer peer-name
An IPsec policy cannot reference any IKE
peer that is already referenced by an IPsec
profile, and vice versa.
7.
Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs { dh-group1 |
dh-group2 | dh-group5 |
dh-group14 }
Optional.
By default, the PFS feature is not used for
negotiation. In FIPS mode, the firewall
does not support the dh-group1 keyword.
For more information about PFS, see
"Configuring IKE."
8.
Set the SA lifetime.
sa duration { time-based
seconds | traffic-based
kilobytes }
Optional.
By default, the global SA lifetime is used.
9.
Set the anti-replay information
synchronization intervals in
IPsec stateful failover mode.
synchronization
anti-replay-interval
inbound inbound-number
outbound
outbound-number
Optional.
By default, the inbound anti-replay window
information is synchronized whenever
1000 packets are received, and the
outbound anti-replay sequence number is
synchronized whenever 100000 packets
are sent.
10.
Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
11.
Return to system view.
quit
N/A
12.
Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
3600 seconds for time-based SA lifetime
by default.
1843200 kilobytes for traffic-based SA
lifetime by default.
To configure an IPsec policy that uses IKE by referencing an IPsec policy template:
Step Command
Remark
1.
Enter system view.
system-view
N/A
2.
Create an IPsec policy
template and enter its view.
ipsec policy-template
template-name seq-number
By default, no IPsec policy template
exists.
3.
Specify the ACL for the IPsec
policy to reference.
security acl acl-number
Optional.
By default, an IPsec policy references no
ACL.
4.
Specify the IPsec proposals for
the IPsec policy to reference.
proposal
proposal-name&<1-6>
By default, an IPsec policy references no
IPsec proposal.
5.
Specify the IKE peer for the
IPsec policy to reference.
ike-peer peer-name
An IPsec policy cannot reference any IKE
peer that is already referenced by an
IPsec profile, and vice versa.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS