beautypg.com

Modifying ipsec proposals, Configuring an ipsec proposal – H3C Technologies H3C Intelligent Management Center User Manual

Page 167

background image

157

{

ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type

must be Name when NAT traversal is enabled, and must be IP when IKE uses the Main
negotiation mode for key negotiation in phase 1.

{

Encapsulation Mode—Select an encapsulation mode for IPsec packets. Options are Tunnel and
Transport. The Tunnel encapsulation mode must be used when NAT traversal is enabled.

Table

11

shows the compatibility matrix of the IKE Negotiation Mode, NAT Traversal, ID Type, and

Encapsulation Mode parameters.

Table 11 Parameter compatibility matrix

IKE Negotiation

Mode

NAT Traversal

ID Type

Encapsulation mode

of IPsec packets

Main mode

No

IP

Tunnel mode/Transport
mode

Aggressive mode

Yes Name

Tunnel mode

No IP/Name

{

Use Policy Template—Select Yes or No. If you select Yes, the hub devices cannot initiate IKE
negotiation, but only responds to negotiation requests from peers. The IPsec policy template

feature applies to scenarios where the IP addresses of spoke devices are unknown.

{

PFS—Select the DH group identifier used by PFS. Options are DH Group 1, DH Group 2, DH
Group 5, DH Group 14, and Disable.

{

Set IPsec SA Lifetime—Select Yes and set the time-based and traffic-based lifetime for IPsec SAs.
An IPsec SA expires when either of the lifetime timers expires.

Time (s)—Specify how long an IPsec SA can exist, in seconds.

Traffic (KB)—Specify the maximum traffic, in KBs, that an IPsec SA can process before it
expires.

Modifying IPsec proposals

You can modify the IPsec proposals of an IPsec VPN domain only when the Configure IPsec and IKE

option is selected on the Basic Settings tab.
To modify the IPsec proposals for the IPsec VPN domain:

1.

Click the Security Proposals tab.
The IPsec Proposal list displays all the IPsec proposals.

2.

You can configure an IPsec proposal, modify an existing IPsec proposal, and delete IPsec

proposals for the IPsec VPN domain.

Configuring an IPsec proposal

1.

Click Add in the IPsec Proposal area.
The Add IPsec Proposal page appears.

2.

Enter a name for the IPsec proposal.
You can configure the IPsec proposal through step 3 or import an IPsec proposal template through

step 4.

3.

Configure an IPsec proposal.

a.

Configure the following parameters:

See also other documents in the category H3C Technologies Safety: