H3C Technologies H3C MSR 50 User Manual

6

Item Description

Exchange Mode

Select the IKE negotiation mode in phase 1, which can be main or aggressive.

IMPORTANT:

•

If the IP address of one end of an IPsec tunnel is obtained dynamically, the IKE

negotiation mode must be aggressive. In this case, SAs can be established as long

as the username and password are correct.

•

An IKE peer uses its configured IKE negotiation mode when it is the negotiation

initiator. A negotiation responder uses the IKE negotiation mode of the initiator.

Authentication
Algorithm

Select the authentication algorithm to be used in IKE negotiation. Options include:

•

SHA1—Uses HMAC-SHA1.

•

MD5—Uses HMAC-MD5.

Encryption Algorithm

Select the encryption algorithm to be used in IKE negotiation. Options include:

•

DES-CBC—Uses the DES algorithm in CBC mode and 56-bit key.

•

3DES-CBC—Uses the 3DES algorithm in CBC mode and 168-bit key.

•

AES-128—Uses the AES algorithm in CBC mode and 128-bit key.

•

AES-192—Uses the AES algorithm in CBC mode and 192-bit key.

•

AES-256—Uses the AES algorithm in CBC mode and 256-bit key.

DH

Select the DH group to be used in key negotiation phase 1. Options include:

•

Diffie-Hellman Group1—Uses the 768-bit Diffie-Hellman group.

•

Diffie-Hellman Group2—Uses the 1024-bit Diffie-Hellman group.

•

Diffie-Hellman Group5—Uses the 1536-bit Diffie-Hellman group.

•

Diffie-Hellman Group14—Uses the 2048-bit Diffie-Hellman group.

SA Lifetime

Enter the ISAKMP SA lifetime in IKE negotiation.
Before an SA expires, IKE negotiates a new SA. As soon as the new SA is set up, it

takes effect immediately and the old one will be cleared automatically when it expires.

IMPORTANT:

Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in

IKE negotiation takes time, especially on low-end devices. Set the lifetime greater than 10
minutes to prevent the SA update from influencing normal communication.

Phase 2

Security Protocol

Select the security protocols to be used. Options include:

•

ESP—Uses the ESP protocol.

•

AH—Uses the AH protocol.

•

AH-ESP—Uses ESP first and then AH.

AH Authentication
Algorithm

Select the authentication algorithm for AH when you select AH or AH-ESP for Security
Protocol.
Available authentication algorithms include MD5 and SHA1.

ESP Authentication
Algorithm

Select the authentication algorithm for ESP when you select ESP or AH-ESP for Security
Protocol.
You can select MD5 or SHA1, or select NULL so that ESP performs no authentication.

IMPORTANT:

The ESP authentication algorithm and ESP encryption algorithm cannot be null at the

same time.