R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

411

412

413

414

415

416

417

418

419

420

410

Item Descri

tion

Select the DH group to be used in key negotiation phase 1.

• Diffie-Hellman Group1: Uses the 768-bit Diffie-Hellman group.

• Diffie-Hellman Group2: Uses the 1024-bit Diffie-Hellman group.

• Diffie-Hellman Group5: Uses the 1536-bit Diffie-Hellman group.

• Diffie-Hellman Group14: Uses the 2048-bit Diffie-Hellman group.

SA Lifetime

Enter the ISAKMP SA lifetime.

Before an SA expires, IKE negotiates a new SA. The new SA takes effect

immediately after being set up, and the old one will be cleared automatically

when it expires.

IMPORTANT:

Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. Because

DH calculation in IKE negotiation takes time, especially on low-end devices, set

the lifetime greater than 10 minutes to prevent the SA update from influencing

normal communication.

Phase 2

Security

Protocol

Select the security protocols to be used.

• ESP: Uses the ESP protocol.

• AH: Uses the AH protocol.

• AH-ESP: Uses ESP first and then AH.

Authentication

Algorithm

Select an authentication algorithm for AH when you select AH or AH-ESP for

Security Protocol.

Available authentication algorithms include MD5 and SHA1.

ESP

Authentication

Algorithm

Select an authentication algorithm for ESP when you select ESP or AH-ESP for

Security Protocol.

You can select MD5 or SHA1. If you do not select any authentication

algorithm, ESP performs no authentication.

IMPORTANT:

The ESP authentication algorithm and ESP encryption algorithm cannot both be

null.

ESP Encryption

Algorithm

Select an encryption algorithm for ESP when you select ESP or AH-ESP for

Security Protocol.

• 3DES: Uses the 3DES algorithm and a 168-bit key for encryption.

• DES: Uses the DES algorithm and a 56-bit key for encryption.

• AES128: Uses the AES algorithm and a 128-bit key for encryption.

• AES192: Uses the AES algorithm and a 192-bit key for encryption.

• AES256: Uses the AES algorithm and a 256-bit key for encryption.

• If you do not select any encryption algorithm, ESP performs no encryption.

IMPORTANT:

• Higher security means more complex implementation and lower speed.

DES is enough to meet general requirements. Use 3DES when high

confidentiality and security are required.

• The ESP authentication algorithm and ESP encryption algorithm cannot

both be null.

Encapsulation

Mode

Select the IP packet encapsulation mode.

• Tunnel: Uses the tunnel mode.

• Transport: Uses the transport mode.