3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
176 CHAPTER 11: IKE CONFIGURATION
Selecting Diffie-Hellman group ID
This configuration is used to specify the Diffie-Hellman group ID used by an IKE
proposal.
Perform the following configuration in IKE proposal view.
By default, 768-bit Diffie-Hellman group (group 1) is selected.
Configuring lifetime of ISAKMP SA (optional)
This configuration is used to specify the lifetime of ISAKMP SA used by an IKE
proposal.
Perform the following configuration in IKE proposal view.
If sa duration expires, the ISAKMP SA will automatically update. The SA lifetime
can be set as one number between 60 and 604800 seconds. Because the IKE
negotiation needs to perform DH algorithm, which will take a longer period of
time. For the purpose that the update of ISAKMP SA does not affect the security
communication, it is recommended to set the sa duration greater than 10
minutes.
The SA will negotiate another one to replace the old SA before the set SA duration
is exceeded. It is called soft timeout. The starting time of the soft timeout is 90%
of the SA duration timeout. The old SA will be cleared automatically when the SA
duration is exceeded, which can be called hard timeout.
By default, the ISAKMP SA duration is 86400 seconds (a day).
Configuring IKE Peer Creating an IKE peer
Perform the following configuration in system view.
Configuring IKE negotiation mode
Perform the following configuration in IKE-peer view.
Tabl e 171 Select Diffie-Hellman group ID
Operation Command
Select Diffie-Hellman group ID dh { group1 | group2 | group5 | group14 }
Restore the default value of Diffie-Hellman
group ID
undo dh
Tabl e 172 Set sa duration of IKE SA
Operation Command
Configure lifetime of IKE SA sa duration seconds
Restore the default lifetime undo sa duration
Tabl e 173 Configure IKE peer
Operation Command
Configure an IKE peer and access the IKE peer view ike peer peer-name
Delete the IKE peer undo ike peer peer-name