No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ike-proposal

ike-proposal

Function

The ike-proposal command configures an IKE proposal for an IKE peer.

The undo ike-proposal command restores the default IKE proposal referenced by an IKE peer.

By default, the system provides the IKE proposal Default with the lowest priority.

Table 10-38 describes the default configuration of the created IKE proposal.
Table 10-38  Default configuration of the created IKE proposal

Item

Default Setting

Authentication method

Pre-shared key authentication

Authentication algorithm

SHA-256

Encryption algorithm

AES-CBC-256

DH group 1024-bit Diffie-Hellman group (group2)
SA duration 86400s

PRF (supported by only IKEv2)

HMAC-SHA-256

  • The IKE proposal Default uses pre-shared key authentication, SHA-1 authentication algorithm, DES-CBC encryption algorithm, DH group group1, HMAC-SHA-1 algorithm used to generate a pseudo random number, IKE SA duration of 86400s. The configuration of the IKE proposal Default cannot be changed.
  • SHA-1 is insecure and has potential security risks. You are advised to use AES-XCBC-MAC-96, SHA-256, SHA-384, or SHA-512 or SM3.

  • DES-CBC is insecure and has potential security risks. You are advised to use AES-CBC-128, AES-CBC-192, or AES-CBC-256.

  • The 768-bit Diffie-Hellman group (group1) has potential security risks. You are advised to use 2048-bit Diffie-Hellman group (group14).

  • HMAC-SHA-1 is insecure and has potential security risks. You are advised to use AES-XCBC-128, HMAC-SHA-256, HMAC-SHA-384, or HMAC-SHA-512.

Format

ike-proposal proposal-number

undo ike-proposal [ proposal-number ]

Parameters

Parameter

Description

Value

proposal-number

Specifies the number of the IKE proposal used in IKE negotiation. A smaller value indicates a higher priority of an IKE proposal.

The value is an integer that ranges from 1 to 99.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Before running this command to specify an IKE proposal, run the ike proposal command to configure the IKE proposal.

Example

# Configure an IKE proposal and reference the IKE proposal for an IKE peer.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] quit
[Huawei] ike peer huawei v1
[Huawei-ike-peer-huawei] ike-proposal 10
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 37299

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next