beautypg.com

H3C Technologies H3C Intelligent Management Center User Manual

Page 53

background image

43

{

ID Type—Select the ID type for ISAKMP SA phase 1 negotiation. Options are IP and Name.

When the negotiation mode is Main, the ID type can only be IP.

{

NAT Traversal—Enable or disable the NAT traversal function. The NAT traversal function can be
enabled only when the negotiation mode is Aggressive.

{

PFS—Select the DH group used by the PFS feature. Options are DH Group 1, DH Group 2, DH
Group 5, DH Group 14, and Disable.

{

Set IPsec SA Lifetime—Select whether to specify IPsec SA lifetime, YES or NO. If you select YES,
specify the time-based lifetime and traffic-based lifetime for IPsec SAs.

Time (s)—Specify how long the IPsec SA can be valid after it is created, in seconds.

Traffic (s)—Specify the maximum amount of traffic the IPsec SA can process.

{

DPD Config—Select whether to enable the DPD function, YES or NO. If you select YES, configure
the following parameters that appears:

DPD Name—Enter the DPD name.

DPD Interval (s)—Specify the DPD triggering interval, in seconds. When the local end sends
an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the

time interval exceeds the DPD interval, it sends a DPD hello to the peer.

DPD Timeout (s)—Specify the DPD message retransmission interval. If the local end receives
no DPD acknowledgement within the specified interval, it retransmits the DPD hello. If the

local end still receives no DPD acknowledgement after having made the maximum number
of retransmission attempts (two by default), it considers the peer already dead, and clears

the IKE SA and the IPsec SAs based on the IKE SA.

5.

To add an IPsec proposal:

a.

Click Add in the IPsec Proposal area.
The Add IPsec Proposal dialog box appears.

b.

Configure the following parameters for the IPsec proposal:

Proposal Name—Enter the IPsec proposal name.

Encapsulation—Select the packet encapsulation mode, Tunnel or Transport.

Security Protocol—Select a security protocol. Options are AH, ESP, and AH+ESP.

Specify the authentication and encryption algorithms based on the selected security

protocols.

Table 5

shows the available authentication and encryption algorithms for

different security protocol.

c.

Click OK.

Table 5 Authentication/encryption algorithms for different security protocols

Security

protocol

AH authentication

algorithm

ESP authentication

algorithm

ESP encryption algorithm

AH MD5,

SHA1

N/A

N/A

ESP N/A

MD5,

SHA1, None

None, DES, 3DES, AES(128),
AES(192), AES(256)

AH+ESP

MD5, SHA1

MD5, SHA1, None

None, DES, 3DES, AES(128),
AES(192), AES(256)

6.

To modify an IPsec proposal, click the Modify icon

for the proposal and modify all the

parameters except for the proposal name.

See also other documents in the category H3C Technologies Safety: