Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
131132133134135136137138139140
124
Ste
p
Command
Remarks
2. Create an IKE proposal
and enter its view.
ike proposal proposal-number N/A
3. Specify an encryption
algorithm for the IKE
proposal.
encryption-algorithm { 3des-cbc |
aes-cbc [ key-length ] | des-cbc }
Optional.
In non-FIPS mode, the default is 56-bit
DES.
In FIPS mode, 3DES-CBC and DES-CBC
are not supported, and AES-CBC-128
is default authentication algorithm.
4. Specify an authentication
method for the IKE
proposal.
authentication-method
{ pre-share | rsa-signature }
Optional.
Pre-shared key by default.
5. Specify an authentication
algorithm for the IKE
proposal.
authentication-algorithm { md5 |
sha }
Optional.
SHA1 by default.
In FIPS mode, MD5 is not supported.
6. Specify a DH group for key
negotiation in phase 1.
dh { group1 | group2 | group5 |
group14 }
Optional.
In non-FIPS mode, the default group is
group1, the 768-bit DH group.
In FIPS mode, the group1 keyword is
not available, and the default group is
group2.
7. Set the ISAKMP SA lifetime
for the IKE proposal.
sa duration seconds
Optional.
86400 seconds by default.
Before an ISAKMP SA expires, IKE
negotiates a new SA to replace it. DH
calculation in IKE negotiation takes
time, especially on low-end devices. To
prevent SA updates from influencing
normal communication, set the lifetime
greater than 10 minutes.
NOTE:
In FIPS mode, when IPsec SAs are expired by traffic limit, IPsec will notify IKE SA to re-negotiate the corresponding
ISAKMP SAs.
178BConfiguring an IKE peer
For an IPsec policy that uses IKE, you must configure an IKE peer by performing the following tasks:
Specify the IKE negotiation mode for the local end to use in IKE negotiation phase 1. If the IP
address of the remote end is obtained dynamically and pre-shared key authentication is used, HP
recommends setting the IKE negotiation mode of the local end to aggressive. When acting as the
IKE negotiation responder, the local end uses the IKE negotiation mode of the remote end.
Specify the IKE proposals for the local end to use when acting as the IKE negotiation initiator. When
acting as the responder, the local end uses the IKE proposals configured in system view for
negotiation by default.