F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

176

Ste

Command

Remar

6. Enable and configure the

perfect forward secrecy

feature for the IPsec policy.

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 }

Optional.

By default, the PFS feature is not

used for negotiation.

The dh-group1 keyword is not

available for FIPS mode.

For more information about PFS,

see "Configuring IKE."

7. Configure the SA lifetime.

sa duration { time-based seconds |

traffic-based kilobytes }

Optional.

By default, the global SA lifetime

settings are used.

8. Set the anti-replay information

synchronization intervals in

IPsec stateful failover mode.

synchronization

anti-replay-interval inbound

inbound-number outbound

outbound-number

Optional.

By default, the inbound anti-replay

window information is

synchronized whenever 1000

packets are received, and the

outbound anti-replay sequence

number is synchronized whenever

100000 packets are sent.

Support for this feature depends on

the device model. For more

information, see

791H

Table 14.

9. Enable the IPsec policy.

policy enable

Optional.

Enabled by default.

10. Return to system view.

quit N/A

11. Configure the global SA

lifetime.

ipsec sa global-duration

{ time-based seconds |

traffic-based kilobytes }

Optional.

By default, time-based SA lifetime

is 3600 seconds and traffic-based

SA lifetime is 1843200 kilobytes.

12. Create an IPsec policy by

referencing an IPsec policy

template.

ipsec policy policy-name

seq-number isakmp template

template-name

By default, no IPsec policy exists.

With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec

transform sets. During negotiation, IKE searches for a fully matched IPsec transform set at the two ends of

the expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be

protected will be dropped.

During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed.

If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the

same DH group. Otherwise, the negotiation will fail.

An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view.

When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer,

whichever are smaller.