R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

120

Configuring IKE in the web interface

IKE configuration task list

Task Remarks

Configuring global

IKE parameters

Optional.

Configure the IKE local name and NAT keepalive interval.

Configuring an IKE

proposal

This task is required when IKE peers need to specify an IKE proposal.

The firewall has a default IKE proposal that has the lowest preference with the following

default settings:

• Pre-shared key as the authentication method.

• SHA as the authentication algorithm.

• DES-CBC as the encryption algorithm. In FIPS mode, the default encryption

algorithm is AES-CBC-128.

• DH group group1. In FIPS mode, the default DH group is group2.

• SA lifetime of 86400 seconds.

Configuring IKE DPD Optional.

Configuring an IKE

peer

Required.

Create an IKE peer and configure the related parameters.

IMPORTANT:

If you change the settings of an IKE peer, clear the established IPsec SAs and ISAKMP SAs

on the VPN > IKE > IKE SA and VPN > IPSec > IPSec SA pages. Otherwise, SA

renegotiation fails.

Viewing IKE SAs

Optional.

View the summary information of the current ISAKMP SA.

Configuring global IKE parameters

1. Select VPN > IKE > Global from the navigation tree.

Figure 82 IKE global configuration page

2. Configure global IKE parameters as described in Table 5.

3. Click Apply.