R21xx-HP FlexFabric 11900 Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

221

222

223

224

225

226

227

228

229

230

218

Usage guidelines

The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE

negotiation responder.

Examples

# Configure the local address 1.1.1.1 for the IPsec tunnel.

<Sysname> system-view

[Sysname] ipsec policy map 1 isakmp

[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1

Related commands

remote-address

pfs

Use pfs to enable the perfect forward secrecy (PFS) feature for an IPsec transform set, used for IKE

negotiation.

Use undo pfs to restore the default.

Syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }

undo pfs

In FIPS mode:

pfs dh-group14

undo pfs

Default

The PFS feature is disabled for the IPsec transform set.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

dh-group1: Uses 768-bit Diffie-Hellman group.

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.

Usage guidelines

In terms of security and necessary calculation time, the following groups are in the descending order:

2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group

(dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2),

and 768-bit Diffie-Hellman group (dh-group1).