HPE FlexFabric 7900 Series Security Configuration Manual page 138

Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE
negotiation:
•
The initiator sends its IKE proposals to the peer.
If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals
referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile
has a higher priority.
If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE
proposals to the peer. An IKE proposal with a smaller number has a higher priority.
•
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal
with the highest priority and proceeds in descending order of priority until a match is found. The
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are
found mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method,
authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals'
SA lifetime settings.
To configure an IKE proposal:
Step
1. Enter system view.
2. Create an IKE proposal
and enter its view.
3. Specify an encryption
algorithm for the IKE
proposal.
4. Specify an authentication
method for the IKE
proposal.
5. Specify an authentication
algorithm for the IKE
proposal.
6. Specify a DH group for key
negotiation in phase 1.
7. Set the IKE SA lifetime for
the IKE proposal.
Command
system-view
ike proposal proposal-number
•
In non-FIPS mode:
encryption-algorithm
{ 3des-cbc | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
des-cbc }
•
In FIPS mode:
encryption-algorithm
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 }
authentication-method
{ dsa-signature | pre-share |
rsa-signature }
•
In non-FIPS mode:
authentication-algorithm { md5
| sha }
•
In FIPS mode:
authentication-algorithm sha
•
In non-FIPS mode:
dh { group1 | group14 | group2 |
group24 | group5 }
•
In FIPS mode:
dh group14
sa duration seconds
130
Remarks
N/A
By default, there is an IKE
proposal that is used as the
default IKE proposal.
By default:
•
In non-FIPS mode, an IKE
proposal uses the 56-bit
DES encryption algorithm in
CBC mode.
•
In FIPS mode, an IKE
proposal uses the 128-bit
AES encryption algorithm in
CBC mode.
By default, an IKE proposal uses
the pre-shared key
authentication method.
The dsa-signature and
rsa-signature keywords are
available in Release 2137 and
later versions.
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm.
By default:
•
In non-FIPS mode, DH
group1 (the 768-bit DH
group) is used.
•
In FIPS mode, DH group14
(the 2048-bit DH group) is
used.
By default, the IKE SA lifetime is
86400 seconds.