R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

181

182

183

184

185

186

187

188

189

190

176

Ste

Command

Remar

5. Specify the IKE peer for the

IPsec policy to reference.

ike-peer peer-name

An IPsec policy cannot reference any IKE

peer that is already referenced by an

IPsec profile, and vice versa.

6. Enable and configure the

perfect forward secrecy

feature for the IPsec policy.

pfs { dh-group1 | dh-group2

| dh-group5 | dh-group14 }

Optional.

By default, the PFS feature is not used for

negotiation. In FIPS mode, the firewall

does not support the dh-group1

keyword.

For more information about PFS, see

"Configuring IKE."

7. Configure the SA lifetime.

sa duration { time-based

seconds | traffic-based

kilobytes }

Optional.

By default, the global SA lifetime settings

are used.

8. Set the anti-replay

information synchronization

intervals in IPsec stateful

failover mode.

synchronization

anti-replay-interval inbound

inbound-number outbound

outbound-number

Optional.

By default, the inbound anti-replay

window information is synchronized

whenever 1000 packets are received,

and the outbound anti-replay sequence

number is synchronized whenever

100000 packets are sent.

9. Enable the IPsec policy.

policy enable

Optional.

Enabled by default.

10. Return to system view. quit N/A

11. Configure the global SA

lifetime.

ipsec sa global-duration

{ time-based seconds |

traffic-based kilobytes }

Optional.

3600 seconds for time-based SA lifetime

by default

1843200 kilobytes for traffic-based SA

lifetime by default

12. Create an IPsec policy by

referencing an IPsec policy

template.

ipsec policy policy-name

seq-number isakmp template

template-name

By default, no IPsec policy exists.

Applying an IPsec policy group to an interface

An IPsec policy group is a collection of IPsec policies with the same name but different sequence numbers.

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

You can apply an IPsec policy group to a logical or physical interface to protect certain data flows. To

cancel the IPsec protection, remove the application of the IPsec policy group.

For each packet to be sent out an IPsec protected interface, the system looks through the IPsec policies in

the IPsec policy group in ascending order of sequence numbers. If an IPsec policy matches the packet,

the system uses the IPsec policy to protect the packet. If no match is found, the system sends the packet out

without IPsec protection.

In addition to physical interfaces like Ethernet port, you can apply an IPsec policy to virtual interfaces,

such as tunnel and virtual template interfaces, to tunnel applications such as GRE and L2TP.