Configuring an IKE proposal
About IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation:
The initiator sends its IKE proposals to the peer.
If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals specified in the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
Procedure
Enter system view.
system-view
Create an IKE proposal and enter its view.
ike proposal proposal-number
By default, a default IKE proposal exists.
Configure a description for the IKE proposal.
description
By default, an IKE proposal does not have a description.
Specify an encryption algorithm for the IKE proposal.
In non-FIPS mode:
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cb28 | aes-cbc-192 | aes-cbc-256 | des-cbc }
By default, the 56-bit DES encryption algorithm in CBC mode is used .
In FIPS mode:
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }
By default, the 128-bit AES encryption algorithm in CBC mode is used.
Specify an authentication method for the IKE proposal.
authentication-method { dsa-signature | pre-share | rsa-signature }
By default, the pre-shared key authentication method is used.
Specify an authentication algorithm for the IKE proposal.
In non-FIPS mode:
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 }
By default, the HMAC-SHA1 authentication algorithm is used.
In FIPS mode:
authentication-algorithm { sha | sha256 | sha384 | sha512 }
By default, the HMAC-SHA256 authentication algorithm is used.
Specify a DH group for key negotiation in phase 1.
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 }
DH group 1 (the 768-bit DH group) is used by default.
In FIPS mode:
dh group14
DH group 14 (the 2048-bit DH group) is used by default.
(Optional.) Set the IKE SA lifetime for the IKE proposal.
sa duration seconds
By default, the IKE SA lifetime is 86400 seconds.