Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You may create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented by its sequence number, and the lower the sequence number, the higher the preference.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation, the initiator sends its IKE proposals to the peer, and the peer searches its own IKE proposals for a match. The search starts from the one with the lowest sequence number and proceeds in the ascending order of sequence number until a match is found or all the IKE proposals are found mismatching. The matching IKE proposals will be used to establish the secure tunnel.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime will take the smaller one of the settings on the two sides.
By default, there is an IKE proposal, which has the lowest preference and uses the default encryption algorithm, authentication method, authentication algorithm, DH group, and ISAKMP SA lifetime.
To configure an IKE proposal:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE proposal and enter its view. | ike proposal proposal-number | N/A |
3. Specify an encryption algorithm for the IKE proposal. | encryption-algorithm aes-cbc [ key-length ] | Optional. The default is AES-CBC-128. |
4. Specify an authentication method for the IKE proposal. | authentication-method { pre-share | rsa-signature } | Optional. Pre-shared key by default. |
5. Specify an authentication algorithm for the IKE proposal. | authentication-algorithm { sha | sha256 } | Optional. HMAC-SHA256 by default. |
6. Specify a DH group for key negotiation in phase 1. | dh group14 | Optional. group14 (the 2048-bit DH group) by default. |
7. Set the ISAKMP SA lifetime for the IKE proposal. | sa duration seconds | Optional. 86400 seconds by default. |
NOTE: Before an ISAKMP SA expires, IKE negotiates a new SA to replace it. DH calculation in IKE negotiation takes time, especially on low-end devices. To prevent SA updates from influencing normal communication, set the lifetime greater than 10 minutes. | ||