Configuring the dvpn tunnel parameters – H3C Technologies H3C SecPath F1000-E User Manual

448

Step Command

Remarks

5.

Enable and configure perfect
forward secrecy (PFS).

pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }

Optional.
By default, PFS is not used for
negotiation.
For information about PFS, see
"Configuring IKE."

6.

Configure the SA lifetime.

sa duration { time-based seconds |
traffic-based kilobytes }

Optional.
By default, an IPsec profile uses the
global SA lifetime.
For information about global SA

lifetime, see "Configuring IPsec."

NOTE:
•

An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec
proposals. IKE searches for IPsec proposals that match at both ends during negotiation. If no match is

found, SAs cannot be established and the packets requiring IPsec protection will be discarded.

•

When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote end must
also use PFS for negotiation and both ends must use the same Diffie-Hellman (DH) group; otherwise, the
negotiation will fail.

•

When an IPsec profile protects DVPN traffic, you can configure the IPsec proposals referenced by the
IPsec profile to use the ESP protocol, the AH protocol, or both.

•

As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer that an
IPsec profile references does not take effect on the initiator.

•

For information about commands ipsec profile, proposal, ike-peer, pfs and sa duration, see

VPN

Command Reference.

Configuring the DVPN tunnel parameters

Before configuring DVPN tunnel parameters, make sure IP addresses have been configured for the

source interfaces (VLAN interfaces, GigabitEthernet interfaces, or Loopback interfaces) of the virtual

tunnel interfaces and there are routes available between the interfaces.
To configure a DVPN tunnel:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a tunnel interface and

enter its view.

interface tunnel number

No tunnel interface is created by default.

3.

Configure a private IPv4

address for the tunnel
interface.

ip address ip-address
{ mask | mask-length }

[ sub ]

A tunnel interface has no private IPv4
address configured by default.

4.

Configure the tunnel mode as
DVPN, and specify the

encapsulation mode of the
DVPN tunnel.

tunnel-protocol dvpn { gre
| udp }

The two ends of a tunnel must work in the
same tunnel mode.