Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
51525354555657585960
48
Item Descri
p
tion
PFS
Enable and configure the Perfect Forward Secrecy (PFS) feature or disable the feature.
Options include:
dh-group1Uses the 768-bit Diffie-Hellman group.
dh-group2Uses the 1024-bit Diffie-Hellman group.
dh-group5Uses the 1536-bit Diffie-Hellman group.
dh-group14Uses the 2048-bit Diffie-Hellman group.
IMPORTANT:
dh-group14, dh-group5, dh-group2, and dh-group1 are in the descending order of
security and calculation time.
When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an
additional key exchange is performed in phase 2 for higher security.
Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.
ACL
Select the ACL for the IPsec policy to reference.
Available ACLs are advanced ACLs configured by selecting Firewall > ACL from the
navigation tree.
IMPORTANT:
IPsec protects packets matching the specified ACL. It is a good practice to define the
ACL precisely, making the ACL permit only packets that need to be protected by IPsec.
The ACL specified here must correspond to that specified on the peer. That is, the
source IP address in the local ACL must be the destination IP address of the peer, and
the destination IP address must be the source IP address of the peer.
Aggregation
Select this check box to specify to protect traffic in aggregation mode. If you do not select
check box, the standard mode is used.
This setting takes effect only when you specify an ACL for the IPsec policy to reference.
IMPORTANT:
When configuring firewalls supporting both the standard mode and aggregation mode, be
sure to configure the two ends of a tunnel to work in the same mode.
SA
Lifet
ime
Time Based
Type the SA lifetime, which can be time-based or traffic-based.
IMPORTANT:
When negotiating to set up IPsec SAs, IKE uses the smaller one between the lifetime set
locally and the lifetime proposed by the peer.
Traffic
Based
Return to IPsec configuration task list.
Applying an IPsec policy group
Select VPN > IPSec > IPSec Application from the navigation tree to display the IPsec policy application
situation, as shown in Figure 33. F
ind the interface to which you want to apply an IPsec policy group and
then click the corresponding icon to apply an IPsec policy, as shown in Figure 34.