Applying an ipsec policy group – H3C Technologies H3C SecPath F1000-E User Manual
Page 727
15
Item Description
PFS
Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.
•
dh-group1: Uses the 768-bit Diffie-Hellman group.
•
dh-group2: Uses the 1024-bit Diffie-Hellman group.
•
dh-group5: Uses the 1536-bit Diffie-Hellman group.
•
dh-group14: Uses the 2048-bit Diffie-Hellman group.
IMPORTANT:
z
dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of
security and calculation time.
z
When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
z
Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.
ACL
Select an ACL for identifying protected traffic.
Ensure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.
Aggregation
Select this option if you are using one tunnel to protect all data flows permitted by the
ACL. If you do not select the aggregation mode, the standard mode applies and one
tunnel is set up for each data flow permitted by the ACL.
This configuration item is available after you specify an ACL.
IMPORTANT:
The two ends of a tunnel must work in the same mode.
Time
Based
SA
Lifetime
Traffic
Based
Type the time-based and traffic-based SA lifetime values.
IMPORTANT:
When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally
and the lifetime proposed by the peer.
.
Applying an IPsec Policy Group
Select VPN > IPSec > IPSec Application from the navigation tree to enter the IPsec policy
application configuration page shown in
. Click the icon for an interface to select an IPsec
policy for the interface, as shown in
.
Figure 18 IPsec policy application