332
Step Command Remarks
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 }
proposal uses the 128-bit
AES encryption algorithm
in CBC mode.
5. Specify an authentication
method for the IKE
proposal.
authentication-method
{
dsa-signature
|
pre-share
|
rsa-signature
}
By default, an IKE proposal uses
the pre-shared key
authentication method.
6. Specify an authentication
algorithm for the IKE
proposal.
• In non-FIPS mode:
authentication-algorithm
{ md5 | sha | sha256 | sha384 |
sha512 }
• In FIPS mode:
authentication-algorithm { sha
| sha256 | sha384 | sha512 }
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm in non-FIPS mode and
the HMAC-SHA256
authentication algorithm in FIPS
mode.
7. Specify a DH group for key
negotiation in phase 1.
• In non-FIPS mode:
dh { group1 | group14 | group2
| group24 | group5 }
• In FIPS mode:
dh group14
By default:
• In non-FIPS mode, DH
group 1 (the 768-bit DH
group) is used.
• In FIPS mode, DH group
14 (the 2048-bit DH group)
is used.
8. Set the IKE SA lifetime for
the IKE proposal.
sa
duration
seconds
By default, the IKE SA lifetime is
86400 seconds.
Configuring an IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
1. Two peers must be configured with the same pre-shared key to pass pre-shared key
authentication.
2. You can specify the local address configured in IPsec policy or IPsec policy template view
(using the local-address command) for the IKE keychain to be applied. If no local address is
configured, specify the IP address of the interface that uses the IPsec policy.
3. You can specify a priority number for the IKE keychain. To determine the priority of an IKE
keychain:
a. The device examines the existence of the match local address command. An IKE
keychain with the match local address command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller
priority number has a higher priority.
c. If a tie still exists, the device prefers an IKE keychain configured earlier.
To configure the IKE keychain:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IKE keychain
and enter its view.
ike keychain
keychain-name
[
vpn-instance
vpn-instance-name ]
By default, no IKE keychains
exist.
3. Configure a pre-shared
key.
• In non-FIPS mode:
pre-shared-key { address
{ ipv4-address [ mask |
mask-length ] | ipv6
ipv6-address [ prefix-length ] } |
By default, no pre-shared key is
configured.
For security purposes, all
pre-shared keys, including those
To Next Page
Loading...
Need help?
General