Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
381382383384385386387388389390
384 CHAPTER 22: IPSEC CONFIGURATION COMMANDS
undo pfs
View
IPsec policy view, IPsec policy template view
Parameter
dh-group1: Specifies that the 768-bit Diffie-Hellman group is used.
dh-group2: Specifies that the 1024-bit Diffie-Hellman group is used.
dh-group5: Specifies that the 1536-bit Diffie-Hellman group is used.
dh-group14: Specifies that the 2048-bit Diffie-Hellman group is used.
Description
Use the pfs command to set the Perfect Forward Secrecy (PFS) feature for the IPsec
policy to initiate the negotiation.
Use the undo pfs command to set not to use the PFS feature during the
negotiation.
By default, no PFS feature is used.
The command is used to add a PFS exchange process when IPsec uses the IPsec
policy to initiate a negotiation. This additional key exchange is performed during
the phase 2 negotiation so as to enhance the communication safety. The DH
group specified by the local and remote ends must be consistent, otherwise the
negotiation will fail.
Can this command be used only when the security alliance is established through
IKE style.
Related command: ipsec policy-template, ipsec policy (system view), ipsec
policy(interface view), tunnel local, tunnel remote, sa duration and proposal.
Example
# Set that PFS must be used when negotiating through IPsec policy shanghai 200.
[SecBlade_VPN] ipsec policy shanghai 200 isakmp
[SecBlade_VPN-ipsec-policy-isakmp-shanghai-200] pfs group1
proposal Syntax
proposal proposal-name1 [ proposal-name2...proposal-name6 ]
undo proposal [ proposal-name ]
View
IPsec policy view, IPsec policy template view
Parameter
proposal-name1,..., proposal-name6: Name of the proposals adopted.