R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide
263
Ste
p
Command
Remar
k
7. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional.
By default, the PFS feature is not
used for negotiation.
If the local end is configured with
the PFS feature, the remote end that
initiates the negotiation must also
be configured with this feature,
and the DH group specified at the
both ends must be the same.
Otherwise, the negotiation fails.
For more information about PFS,
see "IKE security mechanism"
The dh-group1 keywo
rd is not
available for FIPS mode.
8. Set the SA lifetime.
sa duration { time-based seconds |
traffic-based kilobytes }
Optional.
By default, the global SA lifetime is
used.
If IKE is used for IPsec SA
establishment, the smaller SA
lifetime of the local end and remote
end is used.
9. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
10. Return to system view.
quit N/A
11. Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
3600 seconds for time-based SA
lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by default.
2. Configure an IPsec policy that uses IKE by referencing an IPsec policy template.
The parameters configurable for an IPsec policy template are the same as those you configure
when directly configuring an IPsec policy that uses IKE. The difference is that more parameters are
optional.
{ Required configuration: The IPsec transform sets and IKE peer.
{ Optional configuration: The ACL, PFS feature, and SA lifetime. Unlike the direct configuration,
ACL configuration to be referenced by an IPsec policy is optional. The responder without ACL
configuration accepts the initiator's ACL configuration.
To configure an IPsec policy that uses IKE by referencing an IPsec policy template:
Ste
p
Command
Remar
k
1. Enter system view.
system-view N/A
2. Create an IPsec policy
template and enter its view.
ipsec policy-template
template-name seq-number
By default, no IPsec policy template
exists.