Configuring an IKE proposal

About IKE proposal

An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the priority.

Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation:

Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.

Procedure

  1. Enter system view.

    system-view

  2. Create an IKE proposal and enter its view.

    ike proposal proposal-number

    By default, a default IKE proposal exists.

  3. Configure a description for the IKE proposal.

    description

    By default, an IKE proposal does not have a description.

  4. Specify an encryption algorithm for the IKE proposal.

    In non-FIPS mode:

    encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cb28 | aes-cbc-192 | aes-cbc-256 | des-cbc }

    By default, the 56-bit DES encryption algorithm in CBC mode is used .

    In FIPS mode:

    encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }

    By default, the 128-bit AES encryption algorithm in CBC mode is used.

  5. Specify an authentication method for the IKE proposal.

    authentication-method { dsa-signature | pre-share | rsa-signature }

    By default, the pre-shared key authentication method is used.

  6. Specify an authentication algorithm for the IKE proposal.

    In non-FIPS mode:

    authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 }

    By default, the HMAC-SHA1 authentication algorithm is used.

    In FIPS mode:

    authentication-algorithm { sha | sha256 | sha384 | sha512 }

    By default, the HMAC-SHA256 authentication algorithm is used.

  7. Specify a DH group for key negotiation in phase 1.

    In non-FIPS mode:

    dh { group1 | group14 | group2 | group24 | group5 }

    DH group 1 (the 768-bit DH group) is used by default.

    In FIPS mode:

    dh group14

    DH group 14 (the 2048-bit DH group) is used by default.

  8. (Optional.) Set the IKE SA lifetime for the IKE proposal.

    sa duration seconds

    By default, the IKE SA lifetime is 86400 seconds.