2140
C
140: IPS
HAPTER
EC
View
Parameter
Description
Example
pfs
Syntax
View
Parameter
Description
C
C
ONFIGURATION
OMMANDS
undo ipsec session idle-time
System view
Seconds: IPSec session idle timeout in seconds, in the range of 60 to 3,600.
Use the
ipsec session idle-time
sessions.
Use the
undo ipsec session idle-time
By default, the IPSec session idle timeout is 300 seconds.
# Set the IPSec session idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec session idle-time 600
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
undo pfs
IPSec policy view/IPSec policy template view
dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Use the
command to enable and configure the perfect forward secrecy (PFS)
pfs
feature so that the system uses the feature when employing the IPSec policy to
initiate a negotiation.
Use the
undo pfs
By default, the PFS feature is not used for negotiation.
Note that:
In terms of security and necessary calculation time, the following four groups
■
are in the descending order: 2048-bit Diffie-Hellman group (dh-group14),
1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group
(dh-group2) and 768-bit Diffie-Hellman group (group1).
This command allows IPSec to perform an additional key exchange process
■
during the negotiation phase 2, providing an additional level of security.
command to set the idle timeout for IPSec
command to restore the default.
command to remove the configuration.