Brocade Communications Systems NetIron MLXe Series Hardware Installation Manual page 49

IKEv2 Option
integrity {sha1} {sha256}
{sha384} {sha512}
Configuring the IKEv2 Policy
After you create the IKEv2 proposal, the proposal must be attached to a policy to pick the proposal for negotiation.
The IKE policy states which security parameters will be used to protect IKE negotiations. An IKEv2 policy must contain at least one
proposal to be considered as complete. It can have local-address and VRF statements which are used as selection criteria to select a
policy for negotiation. During the initial exchange, the local address and the VRF of the negotiating SA are matched with the policy and
the proposal is selected.
There will be a default IKEv2 policy named ikev2-default-policy and it will have the following parameters:
• Proposal: ikev2-default-proposal
• local_address: not set, match all local addresses
• VRF: not set so will match any-vrf
If no suitable IKE policy is found, the IKE session will be established using the ikev2-default-policy.
For a given local ip-address only one policy can be chosen.
Configuration of overlapping policies is considered a misconfiguration. In the case of multiple, possible policy matches, the first policy is
selected.
IKEv2 Option
ikev2 policy <name>
Proposal <name>
match address-local <ipaddress>
<mask>
match fvrf { vrf-name <name> |
any }
Brocade NetIron MLXe Series Hardware Installation Guide
53-1004203-04
Description
• aes-cbc-256
NOTE
For the first release, only aes-cbc-128 and aes-cbc-256 will be supported. Support for other
encryption for IKEv2 will be considered for inclusion in the next major release.
Integrity algorithm to be used to protect IKEv2 data. Multiple algorithms may be specified. The following are
supported:
• sha1 — specifies SHA-1 (HMAC variant) as the hash algorithm.
• sha256 — specifies SHA-2 family 256-bit (HMAC variant) as the hash algorithm.
• sha384 — specifies SHA-2 family 384-bit (HMAC variant) as the hash algorithm.
• sha512 — specifies SHA-2 family 512-bit (HMAC variant) as the hash algorithm.
NOTE
For the first release, only sha256 and sha384 will be supported. Support for other crypto for IKEv2
will be considered for inclusion in the next major release.
Description
Configure IKE policy parameters, enter ikev2 policy configuration mode.
Specify at least one proposal; optionally, you can specify additional proposals. This is only for IKE SA.
(Optional) Matches the policy based on the local IPv4. If not configured, it will match all the local IPv4 addresses.
(Optional) The FVRF in which the local IP address on the IKEv2 packet should be matched. If not configured, it will
match the any-vrf.
Router modules
49