beautypg.com

Configuring an ike peer – H3C Technologies H3C SecPath F1000-E User Manual

Page 148

background image

136

Step Command

Remarks

3.

Specify an encryption
algorithm for the IKE

proposal.

encryption-algorithm { 3des-cbc |
aes-cbc [ key-length ] | des-cbc }

Optional.
The default encryption algorithm is 56-bit

DES for the IKE proposal. In FIPS mode, the
default encryption algorithm is

AES-CBC-128.
DES-CBC and 3DES-CBC algorithms are

not available for the FIPS mode.

4.

Specify an
authentication method

for the IKE proposal.

authentication-method
{ pre-share | rsa-signature }

Optional.
By default, the IKE protocol uses a

pre-shared key for authentication.

5.

Specify an
authentication

algorithm for the IKE

proposal.

authentication-algorithm { md5 |
sha }

Optional.
The default authentication algorithm is
SHA1 for the IKE protocol.
The MD5 algorithm is not available for the

FIPS mode.

6.

Specify a DH group for
key negotiation in

phase 1.

dh { group1 | group2 | group5 |
group14 }

Optional.
The default setting is group1, which is the

768-bit DH group. In FIPS mode, the
default setting is group2.
The FIPS mode does not support group1.

7.

Set the ISAKMP SA

lifetime for the IKE
proposal.

sa duration seconds

Optional.
The default ISAKMP SA lifetime is 86400
seconds for the IKE proposal.

NOTE:

Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in IKE negotiation
takes time, especially on low-end devices. To prevent SA updates from influencing normal

communication, set the lifetime greater than 10 minutes.

In FIPS mode, IPsec requires IKE to update the ISAKMP SA for the IPsec SA whose traffic-based lifetime
expires.

Configuring an IKE peer

For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:

Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1. If the IP
address of the remote end is obtained dynamically, the IKE negotiation mode of the local end must

be aggressive. When acting as the IKE negotiation responder, the local end uses the IKE
negotiation mode of the remote end.

Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When
acting as the responder, the local end uses the IKE proposals configured in system view for

negotiation.

Configure a pre-shared key for pre-shared key authentication or a PKI domain for digital signature
authentication.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: