H3C Technologies H3C WX3000E Series Wireless Switches User Manual

858

Item Description

IPSec Proposal

Select up to six IPsec proposals for the IPsec policy template.
IPsec SAs can be set up only when the IPsec peers have at least one matching IPsec

proposal. If no matching IPsec proposal is available, the IPsec SAs cannot be
established, and the packets that need to be protected are discarded.

PFS

Enable and configure the PFS feature or disable the feature. Options include:

•

dh-group1—Uses the 768-bit Diffie-Hellman group.

•

dh-group2—Uses the 1024-bit Diffie-Hellman group.

•

dh-group5—Uses the 1536-bit Diffie-Hellman group.

•

dh-group14—Uses the 2048-bit Diffie-Hellman group.

IMPORTANT:

•

dh-group14, dh-group5, dh-group2, and dh-group1 are in descending order of

security and calculation time.

•

When IPsec uses an IPsec policy configured with PFS to initiate negotiation, an

additional key exchange is performed in phase 2 for higher security.

•

Two peers must use the same Diffie-Hellman. Otherwise, negotiation will fail.

ACL

Select an ACL for identifying protected traffic.
The specified ACL must be created already and contains at least one rule.
ACL configuration supports VPN multi-instance.
Make sure that this ACL has been created and contains at least one rule.
You can use an ACL to identify traffic between VPN instances.

SA
Lifetime

Time
Based

Enter the time-based and traffic-based SA lifetime values.

IMPORTANT:

When negotiating IPsec SAs, IKE uses the smaller one between the lifetime set locally and

the lifetime proposed by the peer.

Traffic
Based

Reverse Route
Injection

Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop and
change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route to the

peer private network. You do not have to manually configure the static route.

IMPORTANT:

•

If you enable IPsec RRI and do not configure the static route, the SA negotiation must

be initiated by the remote gateway.

•

IPsec RRI creates static routes when IPsec SAs are set up, and delete the static routes

when the IPsec SAs are deleted.

•

To view the static routes created by IPsec RRI, select Network > IPv4 Routing from the

navigation tree.

Next Hop

Specify a next hop for the static routes.
If you do not specify any next hop, the remote tunnel endpoint's address learned during
IPsec SA negotiation is used.

Priority

Change the preference of the static routes.
Change the route preference for equal-cost multipath routing or route backup. If multiple
routes to the same destination have the same preference, traffic is balanced among them.

If multiple routes to the same destination have different preference values, the route with

the highest preference forwards traffic and all other routes are backup routes.