Filter
Top Products
2140 CHAPTER 140: IPSEC CONFIGURATION COMMANDS
undo ipsec session idle-time
View System view
Parameter Seconds: IPSec session idle timeout in seconds, in the range of 60 to 3,600.
Description Use the
ipsec session idle-time command to set the idle timeout for IPSec
sessions.
Use the
undo ipsec session idle-time command to restore the default.
By default, the IPSec session idle timeout is 300 seconds.
Example # Set the IPSec session idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec session idle-time 600
pfs
Syntax pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
undo pfs
View IPSec policy view/IPSec policy template view
Parameter dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Description Use the
pfs command to enable and configure the perfect forward secrecy (PFS)
feature so that the system uses the feature when employing the IPSec policy to
initiate a negotiation.
Use the
undo pfs command to remove the configuration.
By default, the PFS feature is not used for negotiation.
Note that:
■ In terms of security and necessary calculation time, the following four groups
are in the descending order: 2048-bit Diffie-Hellman group (dh-group14),
1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group
(dh-group2) and 768-bit Diffie-Hellman group (group1).
■ This command allows IPSec to perform an additional key exchange process
during the negotiation phase 2, providing an additional level of security.