H3C Technologies H3C Intelligent Management Center User Manual
Page 53
43
{
ID Type—Select the ID type for ISAKMP SA phase 1 negotiation. Options are IP and Name.
When the negotiation mode is Main, the ID type can only be IP.
{
NAT Traversal—Enable or disable the NAT traversal function. The NAT traversal function can be
enabled only when the negotiation mode is Aggressive.
{
PFS—Select the DH group used by the PFS feature. Options are DH Group 1, DH Group 2, DH
Group 5, DH Group 14, and Disable.
{
Set IPsec SA Lifetime—Select whether to specify IPsec SA lifetime, YES or NO. If you select YES,
specify the time-based lifetime and traffic-based lifetime for IPsec SAs.
−
Time (s)—Specify how long the IPsec SA can be valid after it is created, in seconds.
−
Traffic (s)—Specify the maximum amount of traffic the IPsec SA can process.
{
DPD Config—Select whether to enable the DPD function, YES or NO. If you select YES, configure
the following parameters that appears:
−
DPD Name—Enter the DPD name.
−
DPD Interval (s)—Specify the DPD triggering interval, in seconds. When the local end sends
an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the
time interval exceeds the DPD interval, it sends a DPD hello to the peer.
−
DPD Timeout (s)—Specify the DPD message retransmission interval. If the local end receives
no DPD acknowledgement within the specified interval, it retransmits the DPD hello. If the
local end still receives no DPD acknowledgement after having made the maximum number
of retransmission attempts (two by default), it considers the peer already dead, and clears
the IKE SA and the IPsec SAs based on the IKE SA.
5.
To add an IPsec proposal:
a.
Click Add in the IPsec Proposal area.
The Add IPsec Proposal dialog box appears.
b.
Configure the following parameters for the IPsec proposal:
−
Proposal Name—Enter the IPsec proposal name.
−
Encapsulation—Select the packet encapsulation mode, Tunnel or Transport.
−
Security Protocol—Select a security protocol. Options are AH, ESP, and AH+ESP.
Specify the authentication and encryption algorithms based on the selected security
protocols.
shows the available authentication and encryption algorithms for
different security protocol.
c.
Click OK.
Table 5 Authentication/encryption algorithms for different security protocols
Security
protocol
AH authentication
algorithm
ESP authentication
algorithm
ESP encryption algorithm
AH MD5,
SHA1
N/A
N/A
ESP N/A
MD5,
SHA1, None
None, DES, 3DES, AES(128),
AES(192), AES(256)
AH+ESP
MD5, SHA1
MD5, SHA1, None
None, DES, 3DES, AES(128),
AES(192), AES(256)
6.
To modify an IPsec proposal, click the Modify icon
for the proposal and modify all the
parameters except for the proposal name.