Modifying ipsec proposals, Configuring an ipsec proposal – H3C Technologies H3C Intelligent Management Center User Manual

169

{

ID Type—Select the identity type used by the IKE peers. Options are IP and Name. The ID type

must be Name when NAT traversal is enabled, and must be IP when IKE uses the Main
negotiation mode for key negotiation in phase 1.

{

Encapsulation Mode—Select an encapsulation mode for IPsec packets. Options are Tunnel and
Transport. The Tunnel encapsulation mode must be used when NAT traversal is enabled.

Table

13

shows the compatibility matrix of the IKE Negotiation Mode, NAT Traversal, ID Type, and

Encapsulation Mode parameters.

Table 13 Parameter compatibility matrix

IKE Negotiation

Mode

NAT Traversal

ID Type

Encapsulation mode

of IPsec packets

Main mode

No

IP

Tunnel mode/Transport
mode

Aggressive mode

Yes Name

Tunnel mode

No IP/Name

{

Use Policy Template—Select whether or not to use a policy template: Yes or No. If you select Yes,
the hub devices cannot initiate IKE negotiation, but only responds to negotiation requests from

peers. The IPsec policy template feature applies to scenarios where the IP addresses of spoke
devices are unknown.

{

PFS—Select the DH group identifier used by PFS. Options are DH Group 1, DH Group 2, DH
Group 5, DH Group 14, and Disable.

{

Set IPsec SA Lifetime—Select Yes and set the time-based and traffic-based lifetime for IPsec SAs.
An IPsec SA expires when either of the lifetime timers expires.

−

Time (s)—Specify how long an IPsec SA can exist, in seconds.

−

Traffic (KB)—Specify the maximum traffic, in KBs, that an IPsec SA can process before it
expires.

{

Keepalive (sec)—Modify the GRE keepalive interval.

{

Transmission Attempts—Enter the maximum number of keepalive attempts.

{

Packet Checksum—Select this option to enable GRE packet checksum.

{

Tunnel Interface Key—Modify the GRE tunnel interface key.IVM automatically applies the new
key to the tunnel ends.

7.

Click OK.

Modifying IPsec proposals

You can modify the IPsec proposals of a GRE over IPsec VPN domain only when the Configure IPsec IKE

and GRE option is selected on the Basic Settings tab.
To modify the IPsec proposals for the GRE over IPsec VPN domain:

1.

Click the Security Proposals tab.
The IPsec Proposal list displays all the IPsec proposals.

2.

You can configure an IPsec proposal, modify an existing IPsec proposal, and delete IPsec

proposals for the domain.

Configuring an IPsec proposal

1.

Click Add in the IPsec Proposal area.