331
Step Command Remarks
detection.
9. (Optional.) Specify the local
interface or IP address to
which the IKE profile can be
applied.
match local address
{ interface-type
interface-number | { ipv4-address |
ipv6
ipv6-address } [
vpn-instance
vpn-instance-name ] }
By default, an IKE profile can
be applied to any local
interface or IP address.
10. (Optional.) Specify an inside
VPN instance.
inside-vpn
vpn-instance
vpn-instance-name
By default, no inside VPN
instance is specified for an IKE
profile, and the device
forwards protected data to the
VPN instance where the
interface receiving the data
resides.
11. (Optional.) Specify a priority
for the IKE profile.
priority
priority
By default, the priority of an
IKE profile is 100.
Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take
place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal
is represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE
negotiation:
• The initiator sends its IKE proposals to the peer.
{ If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals
specified in the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile
has a higher priority.
{ If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE
proposals to the peer. An IKE proposal with a smaller number has a higher priority.
• The peer searches its own IKE proposals for a match. The search starts from the IKE proposal
with the highest priority and proceeds in descending order of priority until a match is found. The
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are
found mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method,
authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals'
SA lifetime settings.
To configure an IKE proposal:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IKE proposal
and enter its view.
ike
proposal
proposal-number
By default, an IKE proposal
exists.
3. Configure a description for
the IKE proposal.
description
By default, an IKE proposal
does not have a description.
4. Specify an encryption
algorithm for the IKE
proposal.
• In non-FIPS mode:
encryption-algorithm
{ 3des-cbc | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
des-cbc }
• In FIPS mode:
encryption-algorithm
By default:
• In non-FIPS mode, an IKE
proposal uses the 56-bit
DES encryption algorithm
in CBC mode.
• In FIPS mode, an IKE
To Next Page
Loading...
Need help?
General