HP 10500 Series Configuration Manual page 318

Step
5. Assign IPsec transform sets to
the IPsec policy.
6. Specify an IKE peer for the
IPsec policy.
7. Enable and configure the
perfect forward secrecy
feature for the IPsec policy.
8. Set the SA lifetime.
9. Enable the IPsec policy.
10. Return to system view.
11. Set the global SA lifetime.
Command
transform-set
transform-set-name&<1-6>
ike-peer peer-name
pfs { dh-group2 | dh-group5 |
dh-group14 }
sa duration { time-based seconds |
traffic-based kilobytes }
policy enable
quit
ipsec sa global-duration
{ time-based seconds |
traffic-based kilobytes }
308
Remark
By default, an IPsec policy
references no IPsec transform set.
With SAs to be established through
IKE negotiation, an IPsec policy
can reference up to six IPsec
transform sets. During negotiation,
IKE searches for a fully matched
IPsec transform set at the two ends
of the expected IPsec tunnel. If no
match is found, no SA can be set
up and the packets expecting to be
protected will be dropped.
Required for IKEv1 negotiation.
Optional.
By default, the PFS feature is not
used for negotiation.
During IKE negotiation for an IPsec
policy with PFS enabled, an
additional key exchange is
performed. If the local end uses
PFS, the remote end must also use
PFS for negotiation and both ends
must use the same Diffie-Hellman
(DH) group. Otherwise, the
negotiation fails.
For more information about PFS,
see "Configuring IKE."
Optional.
By default, the global SA lifetime is
used.
An SA uses the global lifetime
settings when it is not configured
with lifetime settings in IPsec policy
view. When negotiating to set up
SAs, IKE uses the local lifetime
settings or those proposed by the
peer, whichever are smaller.
Optional.
Enabled by default.
N/A
Optional.
3600 seconds for time-based SA
lifetime by default.
1843200 kilobytes for
traffic-based SA lifetime by default.