3com MSR 20-20 참조 매뉴얼
2140
C
HAPTER
140: IPS
EC
C
ONFIGURATION
C
OMMANDS
undo ipsec session idle-time
View
System view
Parameter
Seconds: IPSec session idle timeout in seconds, in the range of 60 to 3,600.
Description
Use the ipsec session idle-time command to set the idle timeout for IPSec
sessions.
sessions.
Use the undo ipsec session idle-time command to restore the default.
By default, the IPSec session idle timeout is 300 seconds.
Example
# Set the IPSec session idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec session idle-time 600
pfs
Syntax
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
undo pfs
View
IPSec policy view/IPSec policy template view
Parameter
dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Description
Use the pfs command to enable and configure the perfect forward secrecy (PFS)
feature so that the system uses the feature when employing the IPSec policy to
initiate a negotiation.
feature so that the system uses the feature when employing the IPSec policy to
initiate a negotiation.
Use the undo pfs command to remove the configuration.
By default, the PFS feature is not used for negotiation.
Note that:
■
In terms of security and necessary calculation time, the following four groups
are in the descending order: 2048-bit Diffie-Hellman group (dh-group14),
1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group
(dh-group2) and 768-bit Diffie-Hellman group (group1).
are in the descending order: 2048-bit Diffie-Hellman group (dh-group14),
1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group
(dh-group2) and 768-bit Diffie-Hellman group (group1).
■
This command allows IPSec to perform an additional key exchange process
during the negotiation phase 2, providing an additional level of security.
during the negotiation phase 2, providing an additional level of security.