R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

271

272

273

274

275

276

277

278

279

280

257

Ste

Command

Remar

6. Enable and configure the

perfect forward secrecy

feature for the IPsec policy.

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 }

Optional.

By default, the PFS feature is not

used for negotiation.

If the local end is configured with

the PFS feature, the remote end that

initiates the negotiation must also

be configured with this feature,

and the DH group specified at the

both ends must be the same.

Otherwise, the negotiation fails.

For more information about PFS,

see "IKE security mechanism"

The dh-group1 keywo

rd is not

available for FIPS mode.

7. Configure the SA lifetime.

sa duration { time-based seconds |

traffic-based kilobytes }

Optional.

By default, the global SA lifetime is

used.

If IKE is used for IPsec SA

establishment, the smaller SA

lifetime of the local end and remote

end is used.

8. Enable the IPsec policy.

policy enable

Optional.

Enabled by default.

9. Return to system view.

quit N/A

10. Configure the global SA

lifetime.

ipsec sa global-duration

{ time-based seconds |

traffic-based kilobytes }

Optional.

By default, time-based SA lifetime

is 3600 seconds and traffic-based

SA lifetime is 1843200 kilobytes.

11. Create an IPsec policy by

referencing an IPsec policy

template.

ipsec policy policy-name

seq-number isakmp template

template-name

By default, no IPsec policy exists.

During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed.

If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the

same DH group. Otherwise, the negotiation will fail.

An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view.

When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer,

whichever are smaller.

Applying an IPsec policy group to an interface

An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To

cancel the IPsec protection, remove the application of the IPsec policy group.