Configuring an IKEv2 proposal

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority.

A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.

To configure an IKEv2 proposal:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an IKEv2 proposal and enter IKEv2 proposal view.

ikev2 proposal proposal-name

By default, an IKEv2 proposal named default exists.

In non-FIPS mode, the default proposal uses the following settings:

  • Encryption algorithms AES-CBC-128 and 3DES.

  • Integrity protection algorithms HMAC-SHA1 and HMAC-MD5.

  • PRF algorithms HMAC-SHA1 and HMAC-MD5.

  • DH groups 2 and 5.

In FIPS mode, the default proposal uses the following settings:

  • Encryption algorithms AES-CBC-128 and AES-CTR-128.

  • Integrity protection algorithms HMAC-SHA1 and HMAC-SHA256.

  • PRF algorithms HMAC-SHA1 and HMAC-SHA256.

  • DH groups 14 and 19.

3. Specify the encryption algorithms.

In non-FIPS mode:

encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *

In FIPS mode:

encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *

By default, an IKEv2 proposal does not have any encryption algorithms.

4. Specify the integrity protection algorithms.

In non-FIPS mode:

integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

In FIPS mode:

integrity { sha1 | sha256 | sha384 | sha512 } *

By default, an IKEv2 proposal does not have any integrity protection algorithms.

5. Specify the PRF algorithms.

In non-FIPS mode:

prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

In FIPS mode:

prf { sha1 | sha256 | sha384 | sha512 } *

By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.

6. Specify the DH groups.

In non-FIPS mode:

dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *

In FIPS mode:

dh { group14 | group19 | group20 } *

By default, an IKEv2 proposal does not have any DH groups.