R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
72
To do… Use the command…
Remarks
Enable and configure the perfect
forward secrecy feature for the IPsec
policy
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional
By default, the PFS feature is not
used for negotiation.
For more information about PFS,
see the chapter “IKE
configuration.”
Set the SA lifetime
sa duration { time-based seconds
| traffic-based kilobytes }
Optional
By default, the global SA lifetime
is used.
Return to system view quit —
Set the global SA lifetime
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional
3600 seconds for time-based SA
lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by
default.
• Configure an IPsec policy that uses IKE by referencing an IPsec policy template
The parameters configurable for an IPsec policy template are the same as those you configure when
directly configuring an IPsec policy that uses IKE. The difference is that more parameters are optional.
• Required configuration: The IPsec proposals and IKE peer.
• Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration, ACL
configuration to be referenced by an IPsec policy is optional. The responder without ACL
configuration accepts the initiator's ACL configuration.
Follow these steps to configure an IPsec policy that uses IKE by referencing an IPsec policy template:
To do… Use the command…
Remarks
Enter system view system-view —
Create an IPsec policy template and
enter its view
ipsec policy-template
template-name seq-number
Required
By default, no IPsec policy
template exists.
Specify the ACL for the IPsec policy to
reference
security acl acl-number
Optional
By default, an IPsec policy
references no ACL.
Specify the IPsec proposals for the
IPsec policy to reference
proposal proposal-name&<1-6>
Required
By default, an IPsec policy
references no IPsec proposal.
Specify the IKE peer for the IPsec
policy to reference
ike-peer peer-name
Required
An IPsec policy cannot reference
any IKE peer that is already
referenced by an IPsec profile,
and vice versa.