IKEv2 Option Description
• aes-cbc-256
NOTE
For the rst release, only aes-cbc-128 and aes-cbc-256 will be supported. Support for other
encryption for IKEv2 will be considered for inclusion in the next major release.
integrity {sha1} {sha256}
{sha384} {sha512}
Integrity algorithm to be used to protect IKEv2 data. Multiple algorithms may be specied. The following are
supported:
• sha1 — species SHA-1 (HMAC variant) as the hash algorithm.
• sha256 — species SHA-2 family 256-bit (HMAC variant) as the hash algorithm.
• sha384 — species SHA-2 family 384-bit (HMAC variant) as the hash algorithm.
• sha512 — species SHA-2 family 512-bit (HMAC variant) as the hash algorithm.
NOTE
For the rst release, only sha256 and sha384 will be supported. Support for other crypto for IKEv2
will be considered for inclusion in the next major release.
Conguring the IKEv2 Policy
After you create the IKEv2 proposal, the proposal must be attached to a policy to pick the proposal for negotiation.
The IKE policy states which security parameters will be used to protect IKE negotiations. An IKEv2 policy must contain at least one
proposal to be considered as complete. It can have local-address and VRF statements which are used as selection criteria to select a
policy for negotiation. During the initial exchange, the local address and the VRF of the negotiating SA are matched with the policy and
the proposal is selected.
There will be a default IKEv2 policy named ikev2-default-policy and it will have the following parameters:
• Proposal: ikev2-default-proposal
• local_address: not set, match all local addresses
• VRF: not set so will match any-vrf
If no suitable IKE policy is found, the IKE session will be established using the ikev2-default-policy.
For a given local ip-address only one policy can be chosen.
Conguration of overlapping policies is considered a misconguration. In the case of multiple, possible policy matches, the rst policy is
selected.
IKEv2 Option Description
ikev2 policy <name> Congure IKE policy parameters, enter ikev2 policy conguration mode.
Proposal <name> Specify at least one proposal; optionally, you can specify additional proposals. This is only for IKE SA.
match address-local <ipaddress>
<mask>
(Optional) Matches the policy based on the local IPv4. If not congured, it will match all the local IPv4 addresses.
match fvrf { vrf-name <name> |
any }
(Optional) The FVRF in which the local IP address on the IKEv2 packet should be matched. If not congured, it will
match the any-vrf.
Router modules
Brocade NetIron MLXe Series Hardware Installation Guide
53-1004203-04 49
To Next Page
Loading...
Need help?
General
