R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

To do… Use the command…

Remarks

Enable and configure the perfect

forward secrecy feature for the IPsec

policy

pfs { dh-group1 | dh-group2 |

dh-group5 | dh-group14 }

Optional

By default, the PFS feature is not

used for negotiation.

For more information about PFS,

see the chapter ” IKE

configuration.”

Configure the SA lifetime

sa duration { time-based seconds

| traffic-based kilobytes }

Optional

By default, the global SA lifetime

settings are used.

Return to system view quit —

Configure the global SA lifetime

ipsec sa global-duration

{ time-based seconds |

traffic-based kilobytes }

Optional

3600 seconds for time-based SA

lifetime by default

1843200 kilobytes for

traffic-based SA lifetime by

default

Create an IPsec policy by referencing

an IPsec policy template

ipsec policy policy-name

seq-number isakmp template

template-name

Required

By default, no IPsec policy exists.

NOTE:

• You cannot change the parameters of an IPsec policy created by referencing an IPsec policy template

directly in IPsec policy view. You can perform the required changes in IPsec policy template view.

• An IPsec policy can reference only one ACL. If you apply multiple ACLs to an IPsec policy, only the las

one takes effect.

• With SAs to be established through IKE negotiation, an IPsec policy can reference up to six IPsec

proposals. During negotiation, IKE searches for a fully matched IPsec proposal at the two ends of the

expected IPsec tunnel. If no match is found, no SA can be set up and the packets expecting to be

protected will be dropped.

• During IKE negotiation for an IPsec policy with PFS enabled, an additional key exchange is performed.

If the local end uses PFS, the remote end must also use PFS for negotiation and both ends must use the

same Diffie-Hellman (DH) group; otherwise, the negotiation will fail.

• You can set both the time-based SA lifetime and the traffic-based SA lifetime. Once the time-based

lifetime or traffic-based lifetime of an SA elapses, the SA is aged.

• An SA uses the global lifetime settings when it is not configured with lifetime settings in IPsec policy view.

When negotiating to set up SAs, IKE uses the local lifetime settings or those proposed by the peer,

whichever are smaller.

• You cannot change the creation mode of an IPsec policy between the two, directly configuration and

configuration by referencing an IPsec policy template. To create an IPsec policy in another creation

mode, delete the current one and then configure a new IPsec policy.

Applying an IPsec policy group to an interface

An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.