69
4. Specify a VPN instance for
IKEv2 policy matching.
match vrf
{
name
vrf-name |
any
}
By default, no VPN instance is
specified for IKEv2 policy
matching. The IKEv2 policy
matches all local addresses in the
public network.
5. Specify an IKEv2 proposal
for the IKEv2 policy.
proposal
proposal-name
By default, no IKEv2 proposal is
specified for an IKEv2 policy.
6. Specify a priority for the
IKEv2 policy.
priority
priority
By default, the priority of an IKEv2
policy is 100.
Configuring an IKEv2 proposal
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the
encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm
specified earlier has a higher priority.
A complete IKEv2 proposal must have at least one set of security parameters, including one
encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a
higher priority.
To configure an IKEv2 proposal:
1. Enter system view.
system-view
N/A
2. Create an IKEv2 proposal
and enter IKEv2 proposal
view.
ikev2 proposal
proposal-name
By default, an IKEv2 proposal
named
default
exists.
In non-FIPS mode, the default
proposal uses the following settings:
• Encryption algorithms
AES-CBC-128 and 3DES.
• Integrity protection algorithms
HMAC-SHA1 and HMAC-MD5.
• PRF algorithms HMAC-SHA1
and HMAC-MD5.
• DH groups 2 and 5.
In FIPS mode, the default proposal
uses the following settings:
• Encryption algorithms
AES-CBC-128 and
AES-CTR-128.
• Integrity protection algorithms
HMAC-SHA1 and
HMAC-SHA256.
• PRF algorithms HMAC-SHA1
and HMAC-SHA256.
• DH groups 14 and 19.
3. Specify the encryption
algorithms.
In non-FIPS mode:
By default, an IKEv2 proposal does
not have any encryption algorithms.