No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ike proposal

ike proposal

Function

The ike proposal command creates an IKE proposal and displays the IKE proposal view.

The undo ike proposal command deletes an IKE proposal.

By default, the system provides the IKE proposal Default with the lowest priority.

Table 10-37 describes the default configuration of the created IKE proposal.

Table 10-37  Default configuration of the created IKE proposal

Item

Default Setting

Authentication method

Pre-shared key authentication

Authentication algorithm

SHA-256

Encryption algorithm

AES-CBC-256

DH group 1024-bit Diffie-Hellman group (group2)
SA duration 86400s

PRF (supported by only IKEv2)

HMAC-SHA-256

  • The IKE proposal Default uses pre-shared key authentication, SHA-1 authentication algorithm, DES-CBC encryption algorithm, DH group group1, HMAC-SHA-1 algorithm used to generate a pseudo random number, IKE SA duration of 86400s. The configuration of the IKE proposal Default cannot be changed.
  • SHA-1 is insecure and has potential security risks. You are advised to use AES-XCBC-MAC-96, SHA-256, SHA-384, or SHA-512 or SM3.

  • DES-CBC is insecure and has potential security risks. You are advised to use AES-CBC-128, AES-CBC-192, or AES-CBC-256.

  • The 768-bit Diffie-Hellman group (group1) has potential security risks. You are advised to use 2048-bit Diffie-Hellman group (group14).

  • HMAC-SHA-1 is insecure and has potential security risks. You are advised to use AES-XCBC-128, HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512.

Format

ike proposal proposal-number

undo ike proposal proposal-number

Parameters

Parameter

Description

Value

proposal-number

Specifies the sequence number of an IKE proposal. A smaller value indicates a higher priority of an IKE proposal.

An integer ranging from 1 to 99.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IKE proposal defines parameters used in IKE negotiation, including the encryption algorithm, authentication mode and algorithm, Diffie-Hellman group, and SA lifetime.

Multiple IKE proposals with different priorities can be created. A smaller value indicates a lower priority of an IKE proposal. The priority of an IKE proposal is represented by its sequence number. A smaller sequence number indicates a higher priority of an IKE proposal. You can create multiple IKE proposals with different priorities. The two ends must have at least one matching IKE proposal for successful IKE negotiation.

During IKE negotiation, the initiator sends its IKE proposals to the responder, and the responder searches its own matching IKE proposals. The responder first searches the IKE proposal with the lowest sequence number and proceeds in ascending order of sequence number until a matching IKE proposal is found. The matching IKE proposals will be used to establish a secure tunnel.

Two matching IKE proposals have the same encryption algorithm, authentication mode, authentication algorithm, and Diffie-Hellman group. The SA lifetime is determined by the initiator, so this parameter does not need to be negotiated.

Follow-up Procedure

Run the ike-proposal command in the IKE peer view to reference the IKE proposal.

Precautions

If only the sequence number is specified during IKE proposal creation, this IKE proposal also uses default parameter settings.

Example

# Create IKE proposal 10 and enter the IKE proposal view.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] 
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35535

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next