Configuring an IKE proposal

An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the priority.

Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation:

The initiator sends its IKE proposals to the peer.
- If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals specified for the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
- If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA.

Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.

To configure an IKE proposal:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an IKE proposal and enter its view.	ike proposal proposal-number	By default, there is an IKE proposal that is used as the default IKE proposal.
3. Specify an encryption algorithm for the IKE proposal.	In non-FIPS mode:encryption-algorithm { 3des-cbc \| aes-cbc-128 \| aes-cbc-192 \| aes-cbc-256 \| des-cbc } In FIPS mode:encryption-algorithm { aes-cbc-128 \| aes-cbc-192 \| aes-cbc-256 }	By default: In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode. In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
4. Specify an authentication method for the IKE proposal.	authentication-method { dsa-signature \| pre-share \| rsa-signature }	By default, an IKE proposal uses the pre-shared key authentication method.
5. Specify an authentication algorithm for the IKE proposal.	In Release 1111: In non-FIPS mode:authentication-algorithm { md5 \| sha } In FIPS mode:authentication-algorithm sha In Release 1121 and later: In non-FIPS mode:authentication-algorithm { md5 \| sha \| sha256 \| sha384 \| sha512 } In FIPS mode:authentication-algorithm { sha \| sha256 \| sha384 \| sha512 }	By default, an IKE proposal uses the HMAC-SHA1 authentication algorithm in Release 1111. By default, an IKE proposal uses the HMAC-SHA1 authentication algorithm in non-FIPS mode and the HMAC-SHA256 authentication algorithm in FIPS mode in Release 1121 and later.
6. Specify a DH group for key negotiation in phase 1.	In non-FIPS mode:dh { group1 \| group14 \| group2 \| group24 \| group5 } In FIPS mode: In Release 1111:dh group14 In Release 1121 and later:dh { group14 \| group24 }	By default: In non-FIPS mode, DH group1 (the 768-bit DH group) is used. In FIPS mode, DH group14 (the 2048-bit DH group) is used.
7. Set the IKE SA lifetime for the IKE proposal.	sa duration seconds	By default, the IKE SA lifetime is 86400 seconds.

prev	up	next
Configuring an IKE profile	home	Configuring an IKE keychain