Configuring Ipsec Policy Template - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
Table 7-18 Set the PFS feature used in negotiation
Configure the PFS feature used in
negotiation.
Disable PFS in negotiation.
When IKE initiates a negotiation by using an IPSec policy configured with the PFS
feature, it will make a key exchange operation. In the event that the local adopts PFS,
the peer must also adopt PFS. The local and the peer must specify the same
Diffie-Hellman (DH) group; otherwise, the negotiation between them will fail.
1024-bit DH group (group2) provides a security level higher than 768-bit DH group
(group1), but it needs longer time for calculation.
The four keywords, group1, group2, group5, and group14, each can provide a higher
security level than the former does but at the price of calculation time.
By default, no PFS feature is configured.

7.2.4 Configuring IPSec Policy Template

In the IKE approach, you may create a security policy by referencing an IPSec policy
template as an alternative to directly configuring one in IPSec policy view. Before doing
that, you need to configure a set of security polies in the template.
The configuration of IPSec policy template is similar to common IPSec policy: first, you
need create a policy template; then, template parameters can be specified.
Perform the following configuration in system view.
Table 7-19 Configure IPSec policy template
Create/Modify IPSec policy template
Delete an IPSec policy template
Using IPSec policy-template command, you will enter the IPSec policy template view,
in which you can specify the policy template related parameters.
Operation
Operation
3Com Corporation
7-21
Chapter 7 IPSec Configuration
Command
pfs { dh-group1
dh-group5 | dh-group14 }
undo pfs
Command
ipsec policy-template template-name
seq-number
undo ipsec
template-name [ seq-number ]
| dh-group2 |
policy-template