beautypg.com

Configuring an ike peer – H3C Technologies H3C SecPath F1000-E User Manual

Page 169

background image

5

for a match. The search starts from the one with the lowest sequence number and proceeds in the

ascending order of sequence number until a match is found or all the IKE proposals are found

mismatching. The matching IKE proposals will be used to establish the secure tunnel.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication

algorithm, and DH group. The SA lifetime will take the smaller one of the settings on the two sides.
By default, there is an IKE proposal, which has the lowest preference and uses the default encryption

algorithm, authentication method, authentication algorithm, DH group, and ISAKMP SA lifetime.
Follow these steps to configure an IKE proposal:

To do…

Use the command…

Remarks

Enter system view

system-view

Create an IKE proposal and enter
its view

ike proposal proposal-number Required

Specify an encryption algorithm
for the IKE proposal

encryption-algorithm { 3des-cbc |
aes-cbc [ key-length ] | des-cbc }

Optional
56-bit DES by default

Specify an authentication method
for the IKE proposal

authentication-method { pre-share
| rsa-signature }

Optional
Pre-shared key by default

Specify an authentication
algorithm for the IKE proposal

authentication-algorithm { md5 |
sha }

Optional
SHA1 by default

Specify a DH group for key
negotiation in phase 1

dh { group1 | group2 | group5 |
group14 }

Optional
group1, namely the 768-bit DH

group, by default

Specify the ISAKMP SA lifetime for
the IKE proposal

sa duration seconds

Optional
86,400 seconds by default

NOTE:

Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. As DH calculation in IKE negotiation
takes time, especially on low-end devices, it is recommended to set the lifetime greater than 10 minutes to

prevent the update from influencing normal communication.

Configuring an IKE Peer

Follow these steps to configure an IKE peer:

To do…

Use the command…

Remarks

Enter system view

system-view

Create an IKE peer and enter IKE peer
view

ike peer peer-name Required

Specify the IKE negotiation mode in
phase 1

exchange-mode { aggressive |
main }

Optional
main by default

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: