Displaying and maintaining password control, Configuring an ike proposal – H3C Technologies H3C S12500-X Series Switches User Manual
Page 168

156
103B
Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place.
You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is
represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE
negotiation:
•
The initiator sends its IKE proposals to the peer.
{
If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals
referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has
a higher priority.
{
If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals
to the peer. An IKE proposal with a smaller number has a higher priority.
•
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with
the highest priority and proceeds in descending order of priority until a match is found. The
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found
mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication
algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
To configure an IKE proposal:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create an IKE proposal and
enter its view.
ike proposal proposal-number
By default, there is an IKE
proposal that is used as the
default IKE proposal.
3.
Specify an encryption
algorithm for the IKE
proposal.
•
In non-FIPS mode:
encryption-algorithm { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc }
•
In FIPS mode:
encryption-algorithm { aes-cbc-128
| aes-cbc-192 | aes-cbc-256 }
By default:
•
In non-FIPS mode, an IKE
proposal uses the 56-bit DES
encryption algorithm in CBC
mode.
•
In FIPS mode, an IKE
proposal uses the 128-bit AES
encryption algorithm in CBC
mode.
4.
Specify an authentication
method for the IKE proposal. authentication-method pre-share
By default, an IKE proposal uses
the pre-shared key authentication
method.
5.
Specify an authentication
algorithm for the IKE
proposal.
•
In non-FIPS mode:
authentication-algorithm { md5 |
sha }
•
In FIPS mode:
authentication-algorithm sha
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm.
- H3C S5560 Series Switches H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C WX3000 Series Unified Switches H3C LSWM1WCM10 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C S9800 Series Switches H3C S5130 Series Switches H3C S5120 Series Switches