Manualshelf

R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis
301302303304305306307308309310
293
matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found
mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication
algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
To configure an IKE proposal:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create an IKE proposal and
enter its view.
ike proposal proposal-number
By default, there is an IKE
proposal that is used as the
default IKE proposal.
3. Specify an encryption
algorithm for the IKE
proposal.
Low encryption:
encryption-algorithm des-cbc
High encryption (In non-FIPS
mode):
encryption-algorithm { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc }
In FIPS mode:
encryption-algorithm { aes-cbc-128
| aes-cbc-192 | aes-cbc-256 }
By default:
For low encryption, an IKE
proposal uses the 56-bit DES
encryption algorithm in CBC
mode.
For high encryption in
non-FIPS mode, an IKE
proposal uses the 56-bit DES
encryption algorithm in CBC
mode.
In FIPS mode, an IKE
proposal uses the 128-bit AES
encryption algorithm in CBC
mode.
4. Specify an authentication
method for the IKE proposal.
authentication-method { dsa-signature
| pre-share | rsa-signature }
By default, an IKE proposal uses
the pre-shared key authentication
method.
5. Specify an authentication
algorithm for the IKE
proposal.
In non-FIPS mode:
authentication-algorithm { md5 |
sha }
In FIPS mode:
authentication-algorithm sha
By default, an IKE proposal uses
the HMAC-SHA1 authentication
algorithm.
6. Specify a DH group for key
negotiation in phase 1.
In non-FIPS mode:
dh { group1 | group14 | group2 |
group24 | group5 }
In FIPS mode:
dh group14
By default:
In non-FIPS mode, DH group1
(the 768-bit DH group) is
used.
In FIPS mode, DH group14
(the 2048-bit DH group) is
used.
7. Set the IKE SA lifetime for the
IKE proposal.
sa duration seconds
By default, the IKE SA lifetime is
86400 seconds.
Configuring an IKE keychain
Perform this task when you configure the IKE to use the pre-shared key for authentication.
Follow these guidelines when you configure an IKE keychain: