Configuring An Ike Keychain - HPE FlexNetwork 10500 Series Security Configuration Manual

•
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal
with the highest priority and proceeds in descending order of priority until a match is found. The
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are
found mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method,
authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals'
SA lifetime settings.
To configure an IKE proposal:
Step
1. Enter system view.
2. Create an IKE proposal
and enter its view.
3. Configure a description for
the IKE proposal.
4. Specify an encryption
algorithm for the IKE
proposal.
5. Specify an authentication
method for the IKE
proposal.
6. Specify an authentication
algorithm for the IKE
proposal.
7. Specify a DH group for key
negotiation in phase 1.
8. Set the IKE SA lifetime for
the IKE proposal.

Configuring an IKE keychain

Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain:
1. Two peers must be configured with the same pre-shared key to pass pre-shared key
authentication.
Command
system-view
ike proposal proposal-number
description
•
In non-FIPS mode:
encryption-algorithm
{ 3des-cbc | aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
des-cbc }
•
In FIPS mode:
encryption-algorithm
{ aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 }
authentication-method
{ dsa-signature | pre-share |
rsa-signature }
•
In non-FIPS mode:
authentication-algorithm
{ md5 | sha | sha256 | sha384 |
sha512 }
•
In FIPS mode:
authentication-algorithm { sha
| sha256 | sha384 | sha512 }
•
In non-FIPS mode:
dh { group1 | group14 | group2
| group24 | group5 }
•
In FIPS mode:
dh group14
sa duration seconds
363
Remarks
N/A
By default, an IKE proposal
exists.
By default, an IKE proposal
does not have a description.
By default:
•
In non-FIPS mode, an IKE
proposal uses the 56-bit
DES encryption algorithm
in CBC mode.
•
In FIPS mode, an IKE
proposal uses the 128-bit
AES encryption algorithm
in CBC mode.
By default, an IKE proposal uses
the pre-shared key
authentication method.
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm in non-FIPS mode and
the HMAC-SHA256
authentication algorithm in FIPS
mode.
By default:
•
In non-FIPS mode, DH
group 1 (the 768-bit DH
group) is used.
•
In FIPS mode, DH group
14 (the 2048-bit DH group)
is used.
By default, the IKE SA lifetime is
86400 seconds.