Displaying dvpn session information – H3C Technologies H3C SecPath F1000-E User Manual

Page 431

419

Item Description

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable
the feature.

•

None: Disables PFS.

•

Diffie-Hellman Group1: Enables PFS and uses the 768-bit Diffie-Hellman

group.

•

Diffie-Hellman Group2: Enables PFS and uses the 1024-bit Diffie-Hellman

group.

•

Diffie-Hellman Group5: Enables PFS and uses the 1536-bit Diffie-Hellman

group.

•

Diffie-Hellman Group14: Enables PFS and uses the 2048-bit
Diffie-Hellman group.

IMPORTANT:

•

DH Group14, DH Group5, DH Group2, and DH Group1 are in the

descending order of security and calculation time.

•

When IPsec uses an IPsec connection with PFS configured to initiate

negotiation, an additional key exchange is performed in phase 2 for

higher security.

•

The local and remote peers must use the same Diffie-Hellman group.

Otherwise, negotiation will fail.

SA Lifetime

Set the time-based IPsec SA lifetime, traffic-based IPsec SA lifetime, or both.

IMPORTANT:

When negotiating to set up IPsec SAs, IKE uses the smaller ones between the

local lifetime settings and the lifetime settings proposed by the peer.

DPD

Enable or disable the Dead Peer Detection (DPD) function.
DPD irregularly detects dead IKE peers. When the local end sends an IPsec
packet, DPD checks the time the last IPsec packet was received from the peer.

If the time exceeds the DPD interval, it sends a DPD hello to the peer. If the
local end receives no DPD acknowledgement within the DPD packet

retransmission interval, it retransmits the DPD hello. If the local end still

receives no DPD acknowledgement after having made the maximum number
of retransmission attempts (two by default), it considers the peer already

dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

DPD Interval

Enter the interval after which DPD is triggered if no IPsec packet is received
from the peer.

DPD Timeout

Enter the interval after which DPD packet retransmission will occur if no DPD
response is received.

Displaying DVPN session information

From the navigation tree, select VPN > DVPN > Client. Click the DVPN session tab to view the DVPN
session list, as shown in

Figure 306

. Click the

icon of a session to view the detailed information of the

session, as shown in

Figure 307

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS