H3C Technologies H3C Intelligent Management Center User Manual

41

authentication services for IKE peers. The main mode is applied in scenarios that require high

security levels, while the aggressive mode is used in scenarios that values fast negotiation speed.

•

ID type
ID type used by IKE negotiation in phase 1, IP or Name. The ID type can only be IP when the Main

negotiation mode is used, and can be IP or Name when the Aggressive negotiation mode is used.

•

NAT traversal
If IPsec traffic passes through a NAT device, you must configure the NAT traversal function. If no
packet travels across an IPsec tunnel in a period of time, the NAT sessions are aged and deleted,

disabling the tunnel from transmitting data to the intended end. To prevent NAT sessions from

being aged, configure the NAT keepalive function on the IKE gateway behind the NAT device to

send NAT keepalive packets to its peer periodically to keep the NAT session alive.

•

PFS (Perfect Forward Secrecy)
The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After
PFS is enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys
have no derivative relations with IKE keys and a broken key brings no threats to other keys.

•

IPsec SA lifetime
An IKE created SA has a limited lifetime, which can be time-based or traffic-based. If both lifetime
timers are configured for an SA, the SA becomes invalid when either of the lifetime timers expires.

Before the SA expires, IKE negotiates a new SA, which takes over immediately after creation.

•

DPD (Dead Peer Detection)
DPD enables an IKE entity to check the liveliness of its peer. To use this feature, you must set the
DPD name, the DPD interval, and the DPD packet retransmission interval.
DPD works as follows:

a.

When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.

b.

If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

c.

If the local end receives no DPD acknowledgement within the DPD packet retransmission
interval, it retransmits the DPD hello.

d.

If the local end still receives no DPD acknowledgement after having made the maximum
number of retransmission attempts (two by default), it considers the peer already dead, and

clears the IKE SA and the IPsec SAs based on the IKE SA.

•

IPsec proposal
An IPsec proposal defines the security parameters for IPsec SA negotiation, including the security
protocol, the encryption and authentication algorithms, and the IP packet encapsulation mode.

•

IKE proposal
An IKE proposal defines a set of security parameters used by IKE peers for ISAKMP SA negotiation,

including the authentication algorithm, the encryption algorithm, DH group, and ISAKMP SA
lifetime.
You can configure multiple IKE proposals for IKE peers. Two peers must have at least one matching
IKE proposal for successful IKE negotiation.
The initiator sends its IKE proposals to the peer end, which searches its own IKE proposals for a
match. The search starts from the IKE proposal with the highest priority and proceeds in the

descending order of priority until a match is found.