204
Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You
can create multiple IKE proposals with different preferences. The preference of an IKE proposal is
represented by its sequence number. The lower the sequence number, the higher the preference.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE
negotiation, the initiator sends its IKE proposals to the peer, and the peer searches its own IKE
proposals for a match. The search starts from the IKE proposal with the lowest sequence number
and proceeds in the ascending order of sequence number until a match is found or all the IKE
proposals are found mismatching. The matching IKE proposals are used to establish the secure
tunnel.
The two matching IKE proposals have the same encryption algorithm, authentication method,
authentication algorithm, and DH group. The SA lifetime takes the SA lifetime with a smaller value of
the two.
By default, there is an IKE proposal, which has the lowest preference and uses the default encryption
algorithm, authentication method, authentication algorithm, DH group, and ISAKMP SA lifetime.
When IPsec SAs are traffic expired:
• In FIPS mode, both the IPsec SAs and the corresponding IKE SAs are renegotiated.
• In non-FIPS mode, only the IPsec SAs are renegotiated.
To configure an IKE proposal:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Create an IKE proposal
and enter its view.
ike
proposal
proposal-number N/A
3. Specify an encryption
algorithm for the IKE
proposal.
encryption-algorithm
{
3des-cbc
|
aes-cbc
[ key-length ] |
des-cbc
}
Optional.
In FIPS mode, DES-CBC and
3DES-CBC are not supported, and
the IKE proposal uses 128-bit
AES-CBC for encryption by default.
In non-FIPS mode, the IKE proposal
uses 56-bit DES-CBC for encryption
by default.
4. Specify an authentication
method for the IKE
proposal.
authentication-method
{
pre-share
|
rsa-signature
}
Optional.
Pre-shared key by default.
5. Specify an authentication
algorithm for the IKE
proposal.
authentication-algorithm
{
md5
|
sha
}
Optional.
SHA1 by default.
In FIPS mode, MD5 is not supported.
6. Specify a DH group for
key negotiation in phase
1.
dh
{
group1
|
group2
|
group5
|
group14
}
Optional.
In FIPS mode, the default group is
group2, the 1024-bit Diffie-Hellman
group.
In non-FIPS mode, the default group
is group1, the 768-bit Diffie-Hellman
group.
To Next Page
Loading...
Need help?
General
