R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
46
Item Descri
p
tion
PFS
Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.
Options include:
• dh-group1—Uses the 768-bit Diffie-Hellman group.
• dh-group2—Uses the 1024-bit Diffie-Hellman group.
• dh-group5—Uses the 1536-bit Diffie-Hellman group.
• dh-group14—Uses the 2048-bit Diffie-Hellman group.
IMPORTANT:
• dh-group14, dh-group5, dh-group2, and dh-group1 are in the descending order of
security and calculation time.
• When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
• Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.
ACL
Select the ACL for the IPsec policy template to reference.
Available ACLs are advanced ACLs configured by selecting Firewall > ACL from the
navigation tree.
IMPORTANT:
• IPsec protects packets matching the specified ACL. It is good practice to define the ACL
precisely, making the ACL permit only packets that need to be protected by IPsec.
• The ACL specified here must correspond to that specified on the peer. That is, the
source IP address in the local ACL must be the destination IP address of the peer, and
the destination IP address must be the source IP address of the peer.
SA
Lifeti
me
Time
Based
Type the SA lifetime, which can be time-based or traffic-based.
IMPORTANT:
When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set
locally and the lifetime proposed by the peer.
Traffic
Based
Return to IPsec configuration task list.
Configuring an IPsec policy
Select VPN > IPSec > Policy from the navigation tree to display existing IPsec policies, as shown in Figure
31. Then, click Add to add an IPsec policy, as shown in Figure 32.
Figure 31 IPsec policy list