R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
123
Item Descri
p
tion
DH Group
Select the DH group to be used in key negotiation phase 1. Options include:
• Group1—Uses the 768-bit Diffie-Hellman group. This group is not available for the
FIPS mode.
• Group2—Uses the 1024-bit Diffie-Hellman group. It is the default group in FIPS mode.
• Group5—Uses the 1536-bit Diffie-Hellman group.
• Group14—Uses the 2048-bit Diffie-Hellman group.
SA Lifetime
Enter the ISAKMP SA lifetime of the IKE proposal.
Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it takes
effect immediately and the old one will be cleared automatically when it expires.
In FIPS mode, IPsec requires IKE to negotiate a new SA when the current SA expires. Then
IKE responds to the request and actively initiates a negotiation.
IMPORTANT:
If the SA lifetime expires, the system automatically updates the ISAKMP SA. DH calculation
in IKE negotiation takes time, especially on low-end devices. Set the lifetime greater than 10
minutes to prevent the SA update from influencing normal communication.
Configuring IKE DPD
DPD irregularly detects dead IKE peers. When the local end sends an IPsec packet, DPD checks the time
the last IPsec packet was received from the peer. If the time exceeds the DPD interval, it sends a DPD hello
to the peer. If the local end receives no DPD acknowledgement within the DPD packet retransmission
interval, it retransmits the DPD hello. If the local end still receives no DPD acknowledgement after having
made the maximum number of retransmission attempts (two by default), it considers the peer already
dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
To configure IKE DPD:
1. Select VPN > IKE > DPD from the navigation tree.
Figure 85 DPD detector list
2. Click Add.