Configuring an ike peer – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

372

Step Command

Remarks

2.

Create an IKE proposal and
enter its view.

ike proposal proposal-number N/A

3.

Specify an encryption
algorithm for the IKE

proposal.

encryption-algorithm { aes-cbc
[ key-length ] | des-cbc }

Optional.
56-bit DES by default

4.

Specify an authentication
method for the IKE proposal.

authentication-method { pre-share
| rsa-signature }

Optional.
Pre-shared key by default

5.

Specify an authentication

algorithm for the IKE

proposal.

authentication-algorithm { md5 |
sha }

Optional.
SHA1 by default

6.

Specify a DH group for key
negotiation in phase 1.

dh { group1 | group2 | group5 |
group14 }

Optional.
group1 (the 768-bit DH group) by

default

7.

Set the ISAKMP SA lifetime for
the IKE proposal.

sa duration seconds

Optional.
86400 seconds by default

NOTE:

Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in IKE negotiation
takes time, especially on low-end devices. To prevent SA updates from influencing normal

communication, set the lifetime greater than 10 minutes.

Configuring an IKE peer

For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:

•

Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1. If the IP
address of the remote end is obtained dynamically and pre-shared key authentication is used, H3C

recommends setting the IKE negotiation mode of the local end to aggressive. When acting as the

IKE negotiation responder, the local end uses the IKE negotiation mode of the remote end.

•

Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When
acting as the responder, the local end uses the IKE proposals configured in system view for

negotiation.

•

Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature
authentication.

•

Specify the ID type for the local end to use in IKE negotiation phase 1. With pre-shared key
authentication, the ID type must be IP address for main mode IKE negotiation and can be IP address,

FQDN, or user FQDN for aggressive mode IKE negotiation.

•

Specify the name or IP address of the local security gateway. You perform this task only when you

want to specify a special address, a loopback interface address, for example, as the local security
gateway address.

•

Specify the name or IP address of the remote security gateway. For the local end to initiate IKE
negotiation, you must specify the name or IP address of the remote security gateway on the local

end so the local end can find the remote end.

•

Specify the dead peer detection (DPD) detector for the IKE peer.