beautypg.com

Dh algorithm, Protocols and standards, Fips compliance – H3C Technologies H3C S6300 Series Switches User Manual

Page 264: Ike configuration prerequisites, Ike configuration task list

background image

249

the pre-shared key authentication method, you must configure a pre-shared key for each branch on the

Headquarters node.

DH algorithm

The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material

and then use the material to calculate the shared keys. Due to the decryption complexity, a third party

cannot decrypt the keys even after intercepting all keying materials.

PFS

The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After PFS is

enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys have no

derivative relations with IKE keys and a broken key brings no threats to other keys.

Protocols and standards

RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)

RFC 2409, The Internet Key Exchange (IKE)

RFC 2412, The OAKLEY Key Determination Protocol

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,

commands, and parameters might differ in FIPS mode (see "

Configuring FIPS

") and non-FIPS mode.

IKE configuration prerequisites

Determine the following parameters prior to IKE configuration:

The algorithms to be used during IKE negotiation, including the identity authentication method,
encryption algorithm, authentication algorithm, and DH group.

{

Different algorithms provide different levels of protection. A stronger algorithm provides more
resistance to decryption but uses more resources.

{

A DH group that uses more bits provides higher security but needs more time for processing.

The pre-shared key or PKI domain for IKE negotiation. For more information about PKI, see
"

Configuring PKI

."

The IKE-based IPsec policies for the communicating peers. If an IPsec policy does not reference any

IKE profile, the device selects an IKE profile for the IPsec policy. If no IKE profile is configured, the
globally configured IKE settings are used. For more information about IPsec, see "

Configuring an

IKE-based IPsec policy

."

IKE configuration task list

Tasks at a glance

Remarks

(Optional.)

Configuring an IKE profile

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: