Modifying ipsec proposals, Configuring an ipsec proposal – H3C Technologies H3C Intelligent Management Center User Manual
Page 179
169
{
ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type
must be Name when NAT traversal is enabled, and must be IP when IKE uses the Main
negotiation mode for key negotiation in phase 1.
{
Encapsulation Mode—Select an encapsulation mode for IPsec packets. Options are Tunnel and
Transport. The Tunnel encapsulation mode must be used when NAT traversal is enabled.
shows the compatibility matrix of the IKE Negotiation Mode, NAT Traversal, ID Type, and
Encapsulation Mode parameters.
Table 13 Parameter compatibility matrix
IKE Negotiation
Mode
NAT Traversal
ID Type
Encapsulation mode
of IPsec packets
Main mode
No
IP
Tunnel mode/Transport
mode
Aggressive mode
Yes Name
Tunnel mode
No IP/Name
{
Use Policy Template—Select whether or not to use a policy template: Yes or No. If you select Yes,
the hub devices cannot initiate IKE negotiation, but only responds to negotiation requests from
peers. The IPsec policy template feature applies to scenarios where the IP addresses of spoke
devices are unknown.
{
PFS—Select the DH group identifier used by PFS. Options are DH Group 1, DH Group 2, DH
Group 5, DH Group 14, and Disable.
{
Set IPsec SA Lifetime—Select Yes and set the time-based and traffic-based lifetime for IPsec SAs.
An IPsec SA expires when either of the lifetime timers expires.
−
Time (s)—Specify how long an IPsec SA can exist, in seconds.
−
Traffic (KB)—Specify the maximum traffic, in KBs, that an IPsec SA can process before it
expires.
{
Keepalive (sec)—Modify the GRE keepalive interval.
{
Transmission Attempts—Enter the maximum number of keepalive attempts.
{
Packet Checksum—Select this option to enable GRE packet checksum.
{
Tunnel Interface Key—Modify the GRE tunnel interface key.IVM automatically applies the new
key to the tunnel ends.
7.
Click OK.
Modifying IPsec proposals
You can modify the IPsec proposals of a GRE over IPsec VPN domain only when the Configure IPsec IKE
and GRE option is selected on the Basic Settings tab.
To modify the IPsec proposals for the GRE over IPsec VPN domain:
1.
Click the Security Proposals tab.
The IPsec Proposal list displays all the IPsec proposals.
2.
You can configure an IPsec proposal, modify an existing IPsec proposal, and delete IPsec
proposals for the domain.
Configuring an IPsec proposal
1.
Click Add in the IPsec Proposal area.