Step
1.
Enter system view.
2.
Create an IKE proposal and
enter its view.
3.
Specify an encryption
algorithm for the IKE
proposal.
4.
Specify an authentication
method for the IKE proposal.
5.
Specify an authentication
algorithm for the IKE
proposal (Release 2307
and Release 2310).
6.
Specify an authentication
algorithm for the IKE
proposal (Release 231 1P04
and later versions).
7.
Specify a DH group for key
negotiation in phase 1.
8.
Set the IKE SA lifetime for
the IKE proposal.
Configuring an IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
1.
Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
2.
You can specify the local address configured in IPsec policy or IPsec policy template view (using
the local-address command) for the IKE keychain to be applied. If no local address is configured,
specify the IP address of the interface that references the IPsec policy.
Command
system-view
ike proposal proposal-number
•
In non-FIPS mode:
encryption-algorithm { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc }
•
In FIPS mode:
encryption-algorithm { aes-cbc-128
| aes-cbc-192 | aes-cbc-256 }
authentication-method { dsa-signature
| pre-share | rsa-signature }
•
In non-FIPS mode:
authentication-algorithm { md5 |
sha }
•
In FIPS mode:
authentication-algorithm sha
•
In non-FIPS mode:
authentication-algorithm { md5 |
sha | sha256 | sha384 | sha512 }
•
In FIPS mode:
authentication-algorithm { sha |
sha256 | sha384 | sha512 }
•
In non-FIPS mode:
dh { group1 | group14 | group2 |
group24 | group5 }
•
In FIPS mode:
dh group14
sa duration seconds
256
Remarks
N/A
By default, there is an IKE
proposal that is used as the
default IKE proposal.
By default:
•
In non-FIPS mode, an IKE
proposal uses the 56-bit DES
encryption algorithm in CBC
mode.
•
In FIPS mode, an IKE
proposal uses the 128-bit AES
encryption algorithm in CBC
mode.
By default, an IKE proposal uses
the pre-shared key authentication
method.
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm.
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm in non-FIPS mode and
uses the HMAC-SHA256
authentication algorithm in FIPS
mode.
By default:
•
In non-FIPS mode, DH group1
(the 768-bit DH group) is
used.
•
In FIPS mode, DH group14
(the 2048-bit DH group) is
used.
By default, the IKE SA lifetime is
86400 seconds.