HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

421

422

423

424

425

426

427

428

429

430

418

Item Descri

tion

PFS

Enable and configure the Perfect Forward Secrecy (PFS) feature or

disable the feature.

• None: Disables PFS.

• Diffie-Hellman Group1—Enables PFS and uses the 768-bit

Diffie-Hellman group.

• Diffie-Hellman Group2—Enables PFS and uses the 1024-bit

Diffie-Hellman group.

• Diffie-Hellman Group5—Enables PFS and uses the 1536-bit

Diffie-Hellman group.

• Diffie-Hellman Group14—Enables PFS and uses the 2048-bit

Diffie-Hellman group.

IMPORTANT:

• DH Group14, DH Group5, DH Group2, and DH Group1 are in the

descending order of security and calculation time.

• When IPsec uses an IPsec connection with PFS configured to initiate

negotiation, an additional key exchange is performed in phase 2 for

higher security.

• The local and remote peers must use the same Diffie-Hellman group.

Otherwise, negotiation fails.

SA Lifetime

Set the time-based IPsec SA lifetime, traffic-based IPsec SA lifetime, or

both.

IMPORTANT:

When negotiating to set up IPsec SAs, IKE uses the smaller ones between

the local lifetime settings and the lifetime settings proposed by the peer.

DPD

Enable or disable the Dead Peer Detection (DPD) function.

DPD irregularly detects dead IKE peers. When the local end sends an

IPsec packet, DPD checks the time the last IPsec packet was received

from the peer. If the time exceeds the DPD interval, it sends a DPD hello

to the peer. If the local end receives no DPD acknowledgement within the

DPD packet retransmission interval, it retransmits the DPD hello. If the

local end still receives no DPD acknowledgement after having made the

maximum number of retransmission attempts (two by default), it

considers the peer already dead, and clears the IKE SA and the IPsec

SAs based on the IKE SA.

DPD Interval

Enter the interval after which DPD is triggered if no IPsec packet is

received from the peer.

DPD Timeout

Enter the interval after which DPD packet retransmission occurs if no DPD

response is received.

8. Click Apply.

Displaying DVPN session information

1. From the navigation tree, select VPN > DVPN > Client.

2. Click the DVPN session tab to view the DVPN session list, as shown in Figure 318.

Table 65 desc

ribes fields in the tab page.