beautypg.com

Configuring an ike keychain – H3C Technologies H3C S6300 Series Switches User Manual

Page 268

background image

253

Step Command

Remarks

3.

Specify an encryption
algorithm for the IKE

proposal.

In non-FIPS mode:

encryption-algorithm { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 | des-cbc }

In FIPS mode:

encryption-algorithm { aes-cbc-128

| aes-cbc-192 | aes-cbc-256 }

By default:

In non-FIPS mode, an IKE

proposal uses the 56-bit DES

encryption algorithm in CBC

mode.

In FIPS mode, an IKE

proposal uses the 128-bit AES

encryption algorithm in CBC
mode.

4.

Specify an authentication
method for the IKE proposal.

authentication-method { dsa-signature
| pre-share | rsa-signature }

By default, an IKE proposal uses
the pre-shared key authentication

method.

5.

Specify an authentication

algorithm for the IKE
proposal (Release 2310).

In non-FIPS mode:

authentication-algorithm { md5 |
sha }

In FIPS mode:

authentication-algorithm sha

By default, an IKE proposal uses
the HMAC-SHA1 authentication

algorithm.

6.

Specify an authentication
algorithm for the IKE

proposal (Release 2311P04

and later versions).

In non-FIPS mode:
authentication-algorithm { md5 |

sha | sha256 | sha384 | sha512 }

In FIPS mode:

authentication-algorithm { sha |

sha256 | sha384 | sha512 }

By default, an IKE proposal uses
the HMAC-SHA1 authentication

algorithm in non-FIPS mode and
uses the HMAC-SHA256

authentication algorithm in FIPS

mode.

7.

Specify a DH group for key
negotiation in phase 1.

In non-FIPS mode:

dh { group1 | group14 | group2 |

group24 | group5 }

In FIPS mode:

dh group14

By default:

In non-FIPS mode, DH group1

(the 768-bit DH group) is
used.

In FIPS mode, DH group14

(the 2048-bit DH group) is
used.

8.

Set the IKE SA lifetime for
the IKE proposal.

sa duration seconds

By default, the IKE SA lifetime is
86400 seconds.

Configuring an IKE keychain

Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:

1.

Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.

2.

You can specify the local address configured in IPsec policy or IPsec policy template view (using

the local-address command) for the IKE keychain to be applied. If no local address is configured,
specify the IP address of the interface that references the IPsec policy.

3.

You can specify a priority number for the IKE keychain. To determine the priority of an IKE
keychain:

a.

The device examines the existence of the match local address command. An IKE keychain with
the match local address command configured has a higher priority.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: