Configuring an ipsec policy – H3C Technologies H3C SecPath F1000-E User Manual

13

Item Description

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.

•

dh-group1: Uses the 768-bit Diffie-Hellman group.

•

dh-group2: Uses the 1024-bit Diffie-Hellman group.

•

dh-group5: Uses the 1536-bit Diffie-Hellman group.

•

dh-group14: Uses the 2048-bit Diffie-Hellman group.

IMPORTANT:

z

dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of
security and calculation time.

z

When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.

z

Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL

Select an ACL for identifying protected traffic.
The specified ACL must be created already and contains at least one rule.
ACL configuration supports VPN multi-instance.
Ensure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

Time

Based

SA

Lifetime

Traffic
Based

Type the time-based and traffic-based SA lifetime values.

IMPORTANT:

When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally
and the lifetime proposed by the peer.

Return to

IPsec configuration task list

.

Configuring an IPsec Policy

Select VPN > IPSec > Policy from the navigation tree to enter the IPsec policy management page as
shown in

Figure 16

. Then, click Add to add an IPsec policy on the page shown in

Figure 17

.

Figure 16 IPsec policy list