Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
441442443444445446447448449450
440
Ste
p
Command
Remarks
5. Enable and configure perfect
forward secrecy (PFS).
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional.
By default, PFS is not used for
negotiation.
For information about PFS, see
"Configuring IKE."
6. Configure the SA lifetime.
sa duration { time-based seconds |
traffic-based kilobytes }
Optional.
By default, an IPsec profile uses the
global SA lifetime.
For information about global SA
lifetime, see "Configuring IPsec."
NOTE:
An IPsec profile depends on IKE for SA negotiation. An IPsec profile can reference up to six IPsec
proposals. IKE searches for IPsec proposals that match at both ends durin
g
ne
g
otiation. If no match is
found, SAs cannot be established and the packets requiring IPsec protection will be discarded.
When IKE uses a security policy to initiate a negotiation, if the local end uses PFS, the remote end mus
t
also use PFS for negotiation and both ends must use the same Diffie-Hellman (DH)
g
roup; otherwise, the
negotiation will fail.
When an IPsec profile protects DVPN traffic, you can configure the IPsec proposals referenced by the
IPsec profile to use the ESP protocol, the AH protocol, or both.
As DVPN addresses are dynamic, the setting by the remote-address keyword for the IKE peer that an
IPsec profile references does not take effect on the initiator.
For information about commands ipsec profile, proposal, ike-peer, pfs and sa duration, see
VPN
Command Reference
.
Configuring the DVPN tunnel parameters
Before configuring DVPN tunnel parameters, make sure IP addresses have been configured for the
source interfaces (VLAN interfaces, GigabitEthernet interfaces, or Loopback interfaces) of the virtual
tunnel interfaces and there are routes available between the interfaces.
To configure a DVPN tunnel:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a tunnel interface and
enter its view.
interface tunnel
number
No tunnel interface is created by default.
3. Configure a private IPv4
address for the tunnel
interface.
ip address ip-address
{ mask | mask-length }
[ sub ]
A tunnel interface has no private IPv4 address
configured by default.
4. Configure the tunnel mode as
DVPN, and specify the
encapsulation mode of the
DVPN tunnel.
tunnel-protocol dvpn
{ gre | udp }
The two ends of a tunnel must work in the same
tunnel mode.