R2511-HP MSR Router Series Security Configuration Guide(V5)
207
Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation should take place. You can
create multiple IKE proposals with different preferences. The preference of an IKE proposal is represented
by its sequence number. The lower the sequence number, the higher the preference.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE
negotiation, the initiator sends its IKE proposals to the peer, and the peer searches its own IKE proposals
for a match. The search starts from the IKE proposal with the lowest sequence number and proceeds in
the ascending order of sequence number until a match is found or all the IKE proposals are found
mismatching. The matching IKE proposals are used to establish the secure tunnel.
The two matching IKE proposals have the same encryption algorithm, authentication method,
authentication algorithm, and DH group. The SA lifetime takes the SA lifetime with a smaller value of the
two.
By default, there is an IKE proposal, which has the lowest preference and uses the default encryption
algorithm, authentication method, authentication algorithm, DH group, and ISAKMP SA lifetime.
When IPsec SAs are traffic expired:
• In FIPS mode, both the IPsec SAs and the corresponding IKE SAs are renegotiated.
• In non-FIPS mode, only the IPsec SAs are renegotiated.
To configure an IKE proposal:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE proposal
and enter its view.
ike proposal proposal-number N/A
3. Specify an encryption
algorithm for the IKE
proposal.
encryption-algorithm { 3des-cbc |
aes-cbc [ key-length ] | des-cbc }
Optional.
In FIPS mode, DES-CBC and 3DES-CBC
are not supported, and the IKE
proposal uses 128-bit AES-CBC for
encryption by default.
In non-FIPS mode, the IKE proposal
uses 56-bit DES-CBC for encryption by
default.
4. Specify an authentication
method for the IKE
proposal.
authentication-method
{ pre-share | rsa-signature }
Optional.
Pre-shared key by default.
5. Specify an authentication
algorithm for the IKE
proposal.
authentication-algorithm { md5 |
sha }
Optional.
SHA1 by default.
In FIPS mode, MD5 is not supported.
6. Specify a DH group for key
negotiation in phase 1.
dh { group1 | group2 | group5 |
group14 }
Optional.
In FIPS mode, the default group is
group2, the 1024-bit Diffie-Hellman
group.
In non-FIPS mode, the default group is
group1, the 768-bit Diffie-Hellman
group.