203
Hardware FIPS mode
MSR50 Yes
MSR1000 Yes
IKE configuration task list
Determine the following parameters prior to IKE configuration:
• The strength of the algorithms for IKE negotiation (the security protection level), including the
identity authentication method, encryption algorithm, authentication algorithm, and DH group.
Different algorithms provide different levels of protection. A stronger algorithm means more
resistance to decryption of protected data but requires more resources. Generally, the longer
the key, the stronger the algorithm.
• The pre-shared key or the PKI domain the certificate belongs to. For more information about
PKI configuration, see "Configuring PKI."
To configure IKE:
Task Remarks
Configuring a name for the local security gateway
Optional.
Configuring an IKE proposal
Optional.
Required if you want to specify an IKE proposal for
an IKE peer to reference.
Configuring an IKE peer
Required.
Setting keepalive timers
Optional.
Setting the NAT keepalive timer
Optional.
Configuring a DPD detector
Optional.
Disabling next payload field checking
Optional.
Configuring a name for the local security gateway
If the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation (the
id-type name or id-type user-fqdn command is configured on the initiator), configure the ike
local-name command in system view or the local-name command in IKE peer view on the local
device. If you configure both commands, the name configured by in IKE peer view is used.
To configure a name for the local security gateway:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Configure a name for the
local security gateway.
ike local-name
name
Optional.
By default, the device name is used as
the name of the local security gateway.
To Next Page
Loading...
