beautypg.com

Configuring global ike parameters – H3C Technologies H3C SecPath F1000-E User Manual

Page 701

background image

4

Perform the tasks in

Table 1

to configure IKE.

Table 1 IKE configuration task list

Task Remarks

Configuring Global
IKE Parameters

Optional
Configure the IKE local name and NAT keepalive interval.

Configuring an IKE
Proposal

Required when IKE peers need to specify an IKE proposal.
An IKE proposal defines a set of attributes describing how IKE negotiation should take
place. You may create multiple IKE proposals with different preferences. The

preference of an IKE proposal is represented by its sequence number, and the smaller

the sequence number, the higher the preference.
Two peers must have at least one pair of matched IKE proposals for successful IKE

negotiation. During IKE negotiation, the negotiation initiator sends its IKE proposals to
the peer. The peer will match the IKE proposals against its own IKE proposals, starting

with the one with the smallest sequence number. The match goes on until a match is

found or all IKE proposals are found mismatched. The matched IKE proposals will be

used to establish the security tunnel.
Two matched IKE proposals have the same encryption algorithm, authentication
method, authentication algorithm, and DH group. The ISAKMP SA lifetime will take the

smaller one of the two matched IKE proposals.
By default, there is an IKE proposal, which has the lowest preference and uses these
default settings:

Authentication method: Pre-shared key,

Authentication algorithm: SHA,

Encryption algorithm: DES-CBC,

DH group: Group1,

SA lifetime: 86400 seconds.

Configuring IKE DPD

Optional
Dead peer detection (DPD) is used for detecting the status of IPsec peers. With the DPD

function enabled, if an end receives no IPsec protected packets from its peer in the DPD
query triggering interval, it sends a DPD request to the peer to detect whether the IKE

peer exists.

Configuring an IKE
Peer

Required
Create an IKE peer and configure the related parameters.

IMPORTANT:

If you change the settings of an IKE peer, be sure to clear the established IPsec SAs and
ISAKMP SAs on the pages displayed after you select VPN > IKE > IKE SA and select
VPN

> IPSec > IPSec SA respectively. Otherwise, SA renegotiation will fail.

Viewing IKE SAs

Optional
View the summary information of the current ISAKMP SA.

Configuring Global IKE Parameters

Select VPN > IKE > Global from the navigation tree to enter IKE global configuration page, as shown
in

Figure 3

.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: