3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

151

152

153

154

155

156

157

158

159

160

IPsec Configuration 159

Changing the configured global lifetime does not affect the SAs that have been

set up. The changed global lifetime will apply to the IKE negotiation initiated later.

6 Configuring the PFS feature in negotiation

Perfect Forward Secrecy (PFS) is a security feature. With it, keys are not derivative,

so the compromise of a key will not threaten the security of other keys. This

feature is implemented by adding the process of key exchange in the stage-2

negotiation of IKE. This command is only significant to isakmp mode SAs.

Perform the following configuration in IPsec policy view.

When IKE initiates a negotiation by using an IPsec policy configured with the PFS

feature, it will make a key exchange operation. In the event that the local adopts

PFS, the peer must also adopt PFS. The local and the peer must specify the same

Diffie-Hellman (DH) group; otherwise, the negotiation between them will fail.

The group2 provides a security level higher than group1 (the group5 provides a

security level higher than group2, and the rest may be deduced by analogy),, but

it needs longer time for calculation.

By default, the PFS feature is not used.

7 Configuring IPsec DPD (optional)

■ Creating a DPD structure

Perform the following configuration in system view.

A DPD data structure, or a DPD structure, contains DPD query parameters, such as

interval-time timer and time_out timer. A DPD structure can be referenced by

multiple IKE peers. Thus, you need not to configure one DPD structure for each

interface. If a DPD structure has been referenced by an IKE peer, it cannot be

deleted.

Tab le 143 Configure an SA lifetime

Operation Command

Configure an SA lifetime for the IPsec policy

sa duration { traffic-based kilobytes |

time-based seconds }

Adopt the configured global SA lifetime

undo sa duration { traffic-based |

time-based }

Tab le 144 Set the PFS feature used in negotiation

Operation Command

Configure the PFS feature used in

negotiation

pfs { dh-group1 | dh-group2 | dh-group5 |

dh-group14 }

Disable PFS in negotiation undo pfs

Tab le 145 Create a DPD structure and enter its view

Operation Command

Create a DPD structure and enter its view ike dpd dpd-name

Delete the specified DPD structure undo ike dpd dpd-name