Table of Contents
Advertisement
Virtual Private Networks (VPN)
The default is sha1.
v. Set the type of Diffie-Hellman group to use for key exchange during phase 2:
i. Use the ?to determine available Diffie-Hellman group types:
ii. Set the Diffie-Hellman group type:
The default is modp2048.
vi. (Optional) Add additional phase 2 proposals:
i. Move back one level in the schema:
ii. Add an additional proposal:
iii. Repeat to add more phase 2 proposals.
16. (Optional) Configure dead peer detection:
Dead peer detection is enabled by default. Dead peer detection uses periodic IKE
transmissions to the remote endpoint to detect whether tunnel communications have failed,
allowing the tunnel to be automatically restarted when failure occurs.
a. Change to the root of the configuration schema:
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ...
(config)>
b. To disable dead peer detection:
(config)> vpn ipsec tunnel ipsec_example dpd enable false
(config)>
IX40 User Guide
n
sha256
n
sha384
n
sha512
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> dh_group ?
curve25519
curve448
ecp192
ecp224
...
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> dh_group value
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ..
(config vpn ipsec tunnel ipsec_example ike phase2_proposal)>
(config vpn ipsec tunnel ipsec_example ike phase2_proposal)> add end
(config vpn ipsec tunnel ipsec_example ike phase2_proposal 1)>
Repeat the above steps to set the type of encryption, hash, and Diffie-Hellman
group for the additional proposal.
IPsec
377
Advertisement
Table of Contents
