70
aes-cbc-128
|
aes-cbc-192
|
aes-cbc-256
|
aes-ctr-128
|
aes-ctr-192
|
aes-ctr-256
|
camellia-cbc-128
|
camellia-cbc-192
|
camellia-cbc-256
|
des-cbc
} *
In FIPS mode:
encryption
{
aes-cbc-128
|
aes-cbc-192
|
aes-cbc-256
|
aes-ctr-128
|
aes-ctr-192
|
aes-ctr-256
} *
4. Specify the integrity
protection algorithms.
In non-FIPS mode:
integrity
{
aes-xcbc-mac
|
md5
|
sha1
|
sha256
|
sha384
|
sha512
}
*
In FIPS mode:
integrity
{
sha1
|
sha256
|
sha384
|
sha512
} *
By default, an IKEv2 proposal does
not have any integrity protection
algorithms.
5. Specify the PRF
algorithms.
In non-FIPS mode:
prf
{
aes-xcbc-mac
|
md5
|
sha1
|
sha256
|
sha384
|
sha512
} *
In FIPS mode:
prf
{
sha1
|
sha256
|
sha384
|
sha512
} *
By default, an IKEv2 proposal uses
the integrity protection algorithms as
the PRF algorithms.
6. Specify the DH groups.
In non-FIPS mode:
dh
{
group1
|
group14
|
group2
|
group24
|
group5
|
group19
|
group20
} *
In FIPS mode:
dh
{
group14
|
group24
|
group19
|
group20
} *
By default, an IKEv2 proposal does
not have any DH groups.
Configuring an IKEv2 keychain
An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.
An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an
asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host
name, IP address or address range, or ID).
An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching
criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the
matching criterion to search for a peer.
To configure an IKEv2 keychain:
1. Enter system view.
system-view
N/A
2. Create an IKEv2 keychain
and enter IKEv2 keychain
view.
ikev2 keychain
keychain-name
By default, no IKEv2 keychains
exist.
To Next Page
Loading...
