339
View
System view
Default level
2: System level
Parameters
Seconds: IPsec session idle timeout in seconds, in the range of 60 to 3,600.
Description
Use the ipsec session idle-time command to set the idle timeout for IPsec sessions.
Use the undo ipsec session idle-time command to restore the default.
By default, the IPsec session idle timeout is 300 seconds.
Examples
# Set the IPsec session idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec session idle-time 600
pfs
Syntax
pfs { dh-group2 | dh-group5 | dh-group14 }
undo pfs
View
IPsec policy view
Default level
2: System level
Parameters
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Description
Use the pfs command to enable and configure the perfect forward secrecy (PFS) feature so that the system
uses the feature when employing the IPsec policy to initiate a negotiation.
Use the undo pfs command to remove the configuration.
By default, the PFS feature is not used for negotiation.
In terms of security and necessary calculation time, the following four groups are in the descending order:
2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), and 1024-bit
Diffie-Hellman group (dh-group2).
This command allows IPsec to perform an additional key exchange process during the negotiation phase
2, providing an additional level of security.
The local Diffie-Hellman group must be the same as that of the peer.
To Next Page
Loading...
