Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
181182183184185186187188189190
175
Ste
p
Command
Remar
k
4. Assign an ACL to the IPsec
policy.
security acl acl-number
[ aggregation ]
By default, an IPsec policy references no
ACL.
5. Assign IPsec proposals to the
IPsec policy.
proposal
proposal-name&<1-6>
By default, an IPsec policy references no
IPsec proposal.
6. Specify an IKE peer for the
IPsec policy.
ike-peer peer-name
An IPsec policy cannot reference any IKE
peer that is already referenced by an
IPsec profile, and vice versa.
7. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs { dh-group1 | dh-group2
| dh-group5 | dh-group14 }
Optional.
By default, the PFS feature is not used for
negotiation. In FIPS mode, the firewall
does not support the dh-group1
keyword.
For more information about PFS, see
"Configuring IKE."
8. Set the SA lifetime.
sa duration { time-based
seconds | traffic-based
kilobytes }
Optional.
By default, the global SA lifetime is used.
9. Set the anti-replay
information synchronization
intervals in IPsec stateful
failover mode.
synchronization
anti-replay-interval inbound
inbound-number outbound
outbound-number
Optional.
By default, the inbound anti-replay
window information is synchronized
whenever 1000 packets are received,
and the outbound anti-replay sequence
number is synchronized whenever
100000 packets are sent.
10. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
11. Return to system view.
quit N/A
12. Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
3600 seconds for time-based SA lifetime
by default.
1843200 kilobytes for traffic-based SA
lifetime by default.
To configure an IPsec policy that uses IKE by referencing an IPsec policy template:
Ste
p
Command
Remar
k
1. Enter system view.
system-view N/A
2. Create an IPsec policy
template and enter its view.
ipsec policy-template
template-name seq-number
By default, no IPsec policy template
exists.
3. Specify the ACL for the IPsec
policy to reference.
security acl acl-number
Optional.
By default, an IPsec policy references no
ACL.
4. Specify the IPsec proposals
for the IPsec policy to
reference.
proposal
proposal-name&<1-6>
By default, an IPsec policy references no
IPsec proposal.