H3C Technologies H3C SecPath F1000-E User Manual

Page 192

Advertising
background image

180

Step Command

Remark

6.

Specify an IKE peer for the

IPsec policy.

ike-peer peer-name

An IPsec policy cannot reference any IKE
peer that is already referenced by an IPsec
profile, and vice versa.

7.

Enable and configure the
perfect forward secrecy

feature for the IPsec policy.

pfs { dh-group1 |
dh-group2 | dh-group5 |
dh-group14 }

Optional.
By default, the PFS feature is not used for
negotiation. In FIPS mode, the firewall

does not support the dh-group1 keyword.
For more information about PFS, see

"Configuring IKE."

8.

Set the SA lifetime.

sa duration { time-based
seconds | traffic-based

kilobytes }

Optional.
By default, the global SA lifetime is used.

9.

Set the anti-replay information
synchronization intervals in

IPsec stateful failover mode.

synchronization
anti-replay-interval

inbound inbound-number
outbound

outbound-number

Optional.
By default, the inbound anti-replay window

information is synchronized whenever
1000 packets are received, and the

outbound anti-replay sequence number is

synchronized whenever 100000 packets
are sent.

10.

Enable the IPsec policy.

policy enable

Optional.
Enabled by default.

11.

Return to system view.

quit

N/A

12.

Set the global SA lifetime.

ipsec sa global-duration
{ time-based seconds |

traffic-based kilobytes }

Optional.
3600 seconds for time-based SA lifetime
by default.
1843200 kilobytes for traffic-based SA

lifetime by default.

To configure an IPsec policy that uses IKE by referencing an IPsec policy template:

Step Command

Remark

1.

Enter system view.

system-view

N/A

2.

Create an IPsec policy
template and enter its view.

ipsec policy-template
template-name seq-number

By default, no IPsec policy template
exists.

3.

Specify the ACL for the IPsec
policy to reference.

security acl acl-number

Optional.
By default, an IPsec policy references no

ACL.

4.

Specify the IPsec proposals for
the IPsec policy to reference.

proposal
proposal-name&<1-6>

By default, an IPsec policy references no
IPsec proposal.

5.

Specify the IKE peer for the

IPsec policy to reference.

ike-peer peer-name

An IPsec policy cannot reference any IKE
peer that is already referenced by an
IPsec profile, and vice versa.

Advertising
This manual is related to the following products:

H3C SecPath F5000-A5 Firewall, H3C SecPath F1000-A-EI, H3C SecPath F1000-E-SI, H3C SecPath F1000-S-AI, H3C SecPath F5000-S Firewall, H3C SecPath F5000-C Firewall, H3C SecPath F100-C-SI, H3C SecPath F1000-C-SI, H3C SecPath F100-A-SI, H3C SecBlade FW Cards, H3C SecBlade FW Enhanced Cards, H3C SecPath U200-A U200-M U200-S, H3C SecPath U200-CA U200-CM U200-CS

Popular Brands
Popular manuals