No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an IKE Proposal

Configuring an IKE Proposal

Context

An IKE proposal is a component of an IKE peer, and it defines IKE negotiation parameters, including the encryption algorithm, authentication method, authentication algorithm, Diffie-Hellman (DH) group, and security association (SA) lifetime.

During IKE negotiation, the initiator sends its own IKE proposal to the peer end for matching. The responder starts with the highest-priority IKE proposal and matches the peer in the order of priority until it finds a matching IKE proposal to use. The matching IKE proposal will be used to establish an IKE tunnel.

A smaller IKE proposal number indicates a higher priority. You can create multiple IKE proposals with different priorities. The two ends must have at least one matching IKE proposal for IKE negotiation.

Two matching IKE proposals define the same encryption algorithm, authentication mode, authentication algorithm, and DH group. If the IKE SA lifetimes of two ends are different, the two ends use the smaller IKE SA lifetime for IKE negotiation.

NOTE:

If no IKE proposal is created, the system has a default IKE proposal with the lowest priority. If you specify only the sequence number when creating an IKE proposal, the parameters of the IKE proposal are also the default parameters.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ike proposal proposal-number

    An IKE proposal is created and the IKE proposal view is displayed.

  3. Run authentication-method { pre-share | rsa-signature | digital-envelope }

    An authentication method is configured.

    By default, an IKE proposal uses pre-shared key authentication.

    The authentication methods in the IKE proposals used by the IKE peer must be the same. Otherwise, IKE negotiation fails.

    NOTE:

    Digital envelope authentication is released by the State Encryption Administration of China. It can be used only for IKEv1 negotiation in main mode. It cannot be used for IKEv1 negotiation in aggressive mode or for IKEv2 negotiation.

    When IKE peers use IKEv2, you need to run the re-authentication interval command to make the configured authentication method take effect.

  4. Run authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

    The authentication algorithm used in IKEv1 negotiation is configured.

    By default, the SHA2-256 authentication algorithm is used in IKEv1 negotiation.

    An authentication algorithm needs to be configured for IKEv1 negotiation. The following authentication algorithms are listed in descending order of security level: SHA2-512, SHA2-384, SHA2-256, SHA1, MD5.

    The MD5 and SHA1 algorithms are susceptible to attacks and their use is not recommended.

    NOTE:

    In IKEv1 certificate negotiation, if the authentication algorithm sha2-512 is configured, the RSA key length must be greater than 1024.

  5. Run encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256 }

    The encryption algorithm used in IKE negotiation is configured.

    By default, the AES-256 encryption algorithm is used in IKE negotiation.

    The following encryption algorithms are listed in descending order of security level: AES-256, AES-192, AES-128, 3DES, and DES.

    The DES and 3DES algorithms are susceptible to attacks and their use is not recommended.

  6. Run dh { group1 | group2 | group5 | group14 | group19 | group20 | group21 }

    The DH group used in IKE negotiation is configured.

    By default, the DH group, group14, is used in IKE negotiation.

    The security level order of the DH groups is: group21 > group20 > group19 > group14 > group5 > group2 > group1.

    The DH groups, group1, group2, and group5 are susceptible to attacks and their use is not recommended.

  7. Run prf { aes-xcbc-128 | hmac-md5 | hmac-sha1 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 }

    The pseudo-random function (PRF) algorithm used in IKEv2 negotiation is configured.

    By default, the HMAC-SHA2-256 PRF algorithm is used in IKEv2 negotiation.

    The HMAC-MD5 and HMAC-SHA1 algorithms are susceptible to attacks and their use is not recommended.

  8. Run integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 }

    The integrity algorithm used in IKEv2 negotiation is configured.

    By default, the HMAC-SHA2-256 integrity algorithm is used in IKEv2 negotiation.

Relevant Content

Video: Configuring an IKE Proposal

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153268

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next