Configuring An Ike Keychain - H3C S5830V2 Security Configuration Manual
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Create an IKE proposal and
enter its view.
3.
Specify an encryption
algorithm for the IKE
proposal.
4.
Specify an authentication
method for the IKE proposal.
5.
Specify an authentication
algorithm for the IKE
proposal.
6.
Specify a DH group for key
negotiation in phase 1.
7.
Set the IKE SA lifetime for
the IKE proposal.
Configuring an IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
1.
Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
2.
You can specify the local address configured in IPsec policy or IPsec policy template view (using
the local-address command) for the IKE keychain to be applied. If no local address is configured,
specify the IP address of the interface referencing the IPsec policy.
3.
You can specify a priority number for the IKE keychain. To determine the priority of an IKE
keychain:
a.
The device examines the existence of the match local address command. An IKE keychain with
the match local address command configured has a higher priority.
b.
If a tie exists, the device compares the priority numbers. An IKE keychain with a smaller priority
number has a higher priority.
c.
If a tie still exists, the device prefers an IKE keychain configured earlier.
To configure the IKE keychain:
Command
system-view
ike proposal proposal-number
encryption-algorithm { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc }
authentication-method { dsa-signature
| pre-share | rsa-signature }
•
In non-FIPS mode:
authentication-algorithm { md5 |
sha }
•
In FIPS mode:
authentication-algorithm sha
•
In non-FIPS mode:
dh { group1 | group14 | group2 |
group24 | group5 }
•
In FIPS mode:
dh group14
sa duration seconds
270
Remarks
N/A
By default, there is an IKE
proposal that is used as the
default IKE proposal.
By default, an IKE proposal uses
the 56-bit DES encryption
algorithm in CBC mode in
non-FIPS mode and 128-bit AES
encryption algorithm in FIPS
mode.
By default, an IKE proposal uses
the pre-shared key authentication
method.
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm.
By default, DH group1 (the
768-bit DH group) is used in
non-FIPS mode, and DH group
14 (2048-bit DH group) is used
in FIPS mode.
By default, the IKE SA lifetime is
86400 seconds.
Advertisement
Table of Contents
Troubleshooting
