F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices System Management and Maintenance Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

231

232

233

234

235

236

237

238

239

240

226

identity-key: Specifies the algorithm for publickey authentication. In non-FIPS mode, the algorithm is

either dsa or rsa and the default is dsa. In FIPS mode, the algorithm is rsa.

• dsa: Specifies the public key algorithm dsa.

• rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is

not used.

• zlib: Specifies the compression algorithm ZLIB.

• zlib-openssh: Specifies the compression algorithm ZLIB@openssh.com.

prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128.

• 3des: Specifies the encryption algorithm 3des-cbc.

• aes128: Specifies the encryption algorithm aes128-cbc.

• aes256: Encryption algorithm aes256-cbc.

• des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96.

• md5: Specifies the HMAC algorithm hmac-md5.

• md5-96: Specifies the HMAC algorithm hmac-md5-96.

• sha1: Specifies the HMAC algorithm hmac-sha1.

• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in

non-FIPS mode, and is dh-group14 in FIPS mode.

• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to

aes128.

prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96

Usage guidelines

When the server adopts publickey authentication to authenticate a client, the client must get the local

private key for digital signature. In non-FIPS mode, because the publickey authentication uses either RSA

or DSA algorithm, you must specify the public key algorithm of the client (by using the identity-key

keyword) to get the correct local private key.

In non-FIPS mode, the default algorithms are as follows:

• The public key algorithm is dsa.

• The preferred encryption algorithm from client to server is aes128.

• The preferred HMAC algorithm from client to server is sha1-96.

• The preferred key exchange algorithm is dh-group-exchange.

• The preferred encryption algorithm from server to client is aes128.

• The preferred HMAC algorithm from server to client is sha1-96.

In FIPS mode, the default algorithms are as follows:

• The public key algorithm is rsa.