H3C SecPath F1800-A Operation Manual page 535

Operation Manual - VPN
H3C SecPath F1800-A Firewall
VIII. Confiugring IKE Peer for IPSec Policy (in IKE Negotiation Mode Only)
Compared with the manual mode, IKE can negotiate parameters such as peers, SPI
and shared key automatically. Therefore, you just need to associate IPSec policies
with IKE peer.
Do as follows in IPSec policy view.
Table 3-13 Configuring IKE peer for IPSec policy
Configure IKE peer for IPSec policy.
Delete IKE peer from IPSec policy.
Note:
This chapter only introduces how to apply IKE peer to IPSec. In practice, you should
set some IKE parameters in IKE peer view, such as negotiation mode of IKE, ID type,
NAT traversal, shared key, peer address and peer name.
For more information, refer to the next chapter.
IX. Configuring PFS Used in Negotiation (in IKE Negotiation Mode Only)
Perfect Forward Secrecy (PFS) is a security feature, that is, a decrypted shared key
will not affect security of other keys, since there are no derivative relations among
these shared keys. It is realized by adding key exchange in stage2 of IKE negotiation.
Do as follows in IPSec policy view.
Table 3-14 Configuring PFS used in negotiation
Configure PFS used in negotiation.
Disable the use of PFS in negotiation.
This command will enable PFS exchange when IPSec uses this IPSec policy to
initiate a negotiation. If the local end uses PFS, the peer must adopt PFS when
initiating negotiation. The DH groups specified on the local end must be consistent
with that on the peer. Otherwise, the negotiation will fail.
1024-bit DH group (group2) provides the higher security than 768-bit DH group
(group1). However, it takes longer time for calculation.
Action
Action
7-55
Chapter 3 IPSec Configuration
Command
ike-peer peer-name
undo ike-peer peer-name
Command
pfs { dh-group1 | dh-group2 }
undo pfs