328 
DH algorithm 
The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying 
material and then use the material to calculate the shared keys. Due to the decryption complexity, a 
third party cannot decrypt the keys even after intercepting all keying materials. 
PFS 
The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After 
PFS is enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys 
have no derivative relations with IKE keys and a broken key brings no threats to other keys.  
Protocols and standards 
•  RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP) 
•  RFC 2409, The Internet Key Exchange (IKE) 
•  RFC 2412, The OAKLEY Key Determination Protocol 
•  Internet Draft, draft-ietf-ipsec-isakmp-xauth-06 
•  Internet Draft, draft-dukes-ike-mode-cfg-02 
FIPS compliance 
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for 
features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and 
non-FIPS mode. 
IKE configuration prerequisites 
Determine the following parameters prior to IKE configuration: 
•  The algorithms to be used during IKE negotiation, including the identity authentication method, 
encryption algorithm, authentication algorithm, and DH group.  
{  Different algorithms provide different levels of protection. A stronger algorithm provides 
more resistance to decryption but uses more resources. 
{  A DH group that uses more bits provides higher security but needs more time for 
processing. 
•  The pre-shared key or PKI domain for IKE negotiation. For more information about PKI, see 
"Configuring PKI."
 
•  The IKE-based IPsec policies for the communicating peers. If you do not specify an IKE profile 
in an IPsec policy, the device selects an IKE profile for the IPsec policy. If no IKE profile is 
configured, the globally configured IKE settings are used. For more information about IPsec, 
see "Configuring an IKE-based IPsec policy." 
IKE configuration task list 
Tasks at a glance  Remarks 
(Optional.) Configuring an IKE profile N/A 
(Optional.) Configuring an IKE proposal 
Required when you specify IKE proposals for 
the IKE profile. 
(Optional.) Configuring an IKE keychain 
Required when pre-shared authentication is 
used in IKE negotiation phase 1.