Configuring an IKE proposal
An IKE proposal defines a set of attributes describing how IKE negotiation in phase 1 should take place. You can create multiple IKE proposals with different priorities. The priority of an IKE proposal is represented by its sequence number. The lower the sequence number, the higher the priority.
Two peers must have at least one matching IKE proposal for successful IKE negotiation. During IKE negotiation:
The initiator sends its IKE proposals to the peer.
If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals specified in the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are found mismatching, the two peers use their default IKE proposals to establish the IKE SA.
Two matching IKE proposals have the same encryption algorithm, authentication method, authentication algorithm, and DH group. The SA lifetime takes the smaller one of the two proposals' SA lifetime settings.
To configure an IKE proposal:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an IKE proposal and enter its view. | ike proposal proposal-number | By default, an IKE proposal exists. |
3. Configure a description for the IKE proposal. | description | By default, an IKE proposal does not have a description. |
4. Specify an encryption algorithm for the IKE proposal. |
| By default:
|
5. Specify an authentication method for the IKE proposal. | authentication-method { dsa-signature | pre-share | rsa-signature } | By default, an IKE proposal uses the pre-shared key authentication method. |
6. Specify an authentication algorithm for the IKE proposal. |
| By default, an IKE proposal uses the HMAC-SHA1 authentication algorithm in non-FIPS mode and the HMAC-SHA256 authentication algorithm in FIPS mode. |
7. Specify a DH group for key negotiation in phase 1. |
| By default:
|
8. Set the IKE SA lifetime for the IKE proposal. | sa duration seconds | By default, the IKE SA lifetime is 86400 seconds. |