R2511-HP MSR Router Series Security Configuration Guide(V5)
166
Ste
p
Command
Remar
k
10. Specify the IP packet
encapsulation mode.
encapsulation-mode { transport
| tunnel }
Optional.
Tunnel mode by default.
This command is available only
for IKEv2.
Transport mode applies only
when the source and destination
IP addresses of data flows match
those of the IPsec tunnel.
IPsec for IPv6 routing protocols
supports only the transport mode.
11. Enable the traffic flow
confidentiality (TFC)
padding function.
tfc enable
Optional.
Disabled by default.
12. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
pfs { dh-group1 | dh-group2 |
dh-group5 | dh-group14 }
Optional.
By default, the PFS feature is not
used for negotiation.
If the local end uses PFS, the
remote end must also use PFS for
negotiation and both ends must
use the same DH group.
Otherwise, the negotiation will
fail.
For more information about PFS,
see "Configuring IKE."
The dh-group1 keyword is not
available for FIPS mode.
13. Set the SA lifetime.
sa duration { time-based seconds
| traffic-based kilobytes }
Optional.
By default, the global SA lifetime
is used.
When negotiating to set up SAs,
IKE uses the local lifetime settings
or those proposed by the peer,
whichever are smaller.
14. Enable the IPsec policy.
policy enable
Optional.
Enabled by default.
15. Return to system view.
quit N/A
16. Set the global SA lifetime.
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
Optional.
3600 seconds for time-based SA
lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by
default.
2. Configure an IPsec policy that uses IKE by referencing an IPsec policy template.
The parameters configurable for an IPsec policy template are the same as those you configure
when directly configuring an IPsec policy that uses IKE. The difference is that more parameters are
optional.