552
Predefined user roles
network-admin
Parameters
dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.
dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
Usage guidelines
In terms of security and necessary calculation time, the following groups are in descending order:
384-bit ECP Diffie-Hellman group (dh-group20), 256-bit ECP Diffie-Hellman group (dh-group19),
2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group
(dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group
(dh-group2), and 768-bit Diffie-Hellman group (dh-group1).
In IKEv1, the security level of the Diffie-Hellman group of the initiator must be higher than or equal to
that of the responder. This restriction does not apply to IKEv2.
The end without the PFS feature performs IKE negotiation according to the PFS requirements of the
peer end.
Examples
# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] pfs dh-group14
protocol
Use protocol to specify a security protocol for an IPsec transform set.
Use undo protocol to restore the default.
Syntax
protocol { ah | ah-esp | esp }
undo protocol
Default
The IPsec transform set uses the ESP protocol.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
ah: Specifies the AH protocol.
ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
To Next Page
Loading...
Need help?
General
