R2511-HP MSR Router Series Security Command Reference(V5)
241
Examples
# Configure the PKI domain as abcde for IKE negotiation.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] certificate domain abcde
Related commands
• authentication-method
• pki domain
dh
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Use undo dh to restore the default.
Syntax
dh { group1 | group2 | group5 | group14 }
undo dh
Default
In FIPS mode, IKE phase 1 key negotiation uses group2, the 1024-bit Diffie-Hellman group.
In non-FIPS mode, IKE phase 1 key negotiation uses group1, the 768-bit Diffie-Hellman group.
Views
IKE proposal view
Default command level
2: System level
Parameters
group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1. This keyword is not
available for FIPS mode.
group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.
group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1.
group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.
Examples
# Specify 768-bit Diffie-Hellman for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] dh group1
Related commands
• ike proposal
• display ike proposal