Displaying and maintaining password control, Configuring an ike proposal – H3C Technologies H3C S12500-X Series Switches User Manual

156

103B

Configuring an IKE proposal

An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place.
You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is

represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE

negotiation:

•

The initiator sends its IKE proposals to the peer.

{

If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals

referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has
a higher priority.

{

If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals
to the peer. An IKE proposal with a smaller number has a higher priority.

•

The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with
the highest priority and proceeds in descending order of priority until a match is found. The

matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found

mismatching, the two peers use their default IKE proposals to establish the IKE SA.

Two matching IKE proposals have the same encryption algorithm, authentication method, authentication

algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
To configure an IKE proposal:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create an IKE proposal and
enter its view.

ike proposal proposal-number

By default, there is an IKE
proposal that is used as the

default IKE proposal.

3.

Specify an encryption
algorithm for the IKE

proposal.

•

In non-FIPS mode:

encryption-algorithm { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 | des-cbc }

•

In FIPS mode:

encryption-algorithm { aes-cbc-128

| aes-cbc-192 | aes-cbc-256 }

By default:

•

In non-FIPS mode, an IKE

proposal uses the 56-bit DES

encryption algorithm in CBC

mode.

•

In FIPS mode, an IKE

proposal uses the 128-bit AES

encryption algorithm in CBC
mode.

4.

Specify an authentication
method for the IKE proposal. authentication-method pre-share

By default, an IKE proposal uses
the pre-shared key authentication

method.

5.

Specify an authentication

algorithm for the IKE

proposal.

•

In non-FIPS mode:

authentication-algorithm { md5 |
sha }

•

In FIPS mode:

authentication-algorithm sha

By default, an IKE proposal uses
the HMAC-SHA1 authentication

algorithm.