No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IKE Proposal

Configuring IKE Proposal

The IKE proposal defines a set of attribute data to describe how IKE negotiation implements security communications. Configuring an IKE proposal includes creating an IKE proposal, selecting the encryption algorithm, authentication mode, authentication algorithm, and Diffie-Hellman identifier, and setting the duration of the SA.

Context

Parameters defined by the IKE proposal are used to negotiate the IKE SA establishment. You can configure multiple IKE proposals on each end. During the negotiation, IKE proposals are matched from the one with the highest priority. The match principle is as follows: Both parties use the same encryption algorithm, authentication algorithm, authentication method, and DH group ID to negotiate with each other. The lifetime is determined by the party that initiates the negotiation and does not need to be matched on both ends.

The negotiation modes vary with the IKE negotiation modes.

  • Main mode

    If the negotiation initiating party specifies an IKE proposal on the IKE peer, only the specified IKE protocol can be sent during the IKE negotiation. The response party matches the specified IKE protocol against its IKE proposals. If no IKE proposal is matched, the negotiation fails.

    If the negotiation initiating party does not specify any IKE proposal on the IKE peer, all IKE proposals of the initiating party are sent during the IKE negotiation. The response party matches the IKE proposals against its IKE proposals in sequence.

  • Aggressive mode

    If the negotiation initiating party specifies an IKE proposal on the IKE peer, the processing mechanism is the same as that of the main mode.

    If the negotiation initiating party does not specify any IKE proposal on the IKE peer, only the default IKE proposal of the initiating party is sent during the IKE negotiation. The response party also matches the IKE proposals against its default IKE proposal.

The system provides a default IKE proposal that is configured with the lowest priority and default encryption algorithm, authentication algorithm, group ID, lifetime, and authentication method.

  • The encryption algorithm is AES-CBC-256.

  • The authentication algorithm is SHA2-256.

  • The authentication method is Pre-Shared Key.

  • The lifetime is 86400s.

If the preceding parameters are not configured for a new IKE proposal, the default values can be used. You can run the display ike proposal command to view configured IKE proposals (including the default IKE proposal).

After parameters of an IKE proposal are modified, the modification takes effect in the next tunnel negotiation instead of tunnels that have been negotiated.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ike proposal proposal-number

    IKE proposals are created and the IKE proposal view is displayed.

  3. Run authentication-method { pre-share | rsa-sig | digital-envelope }

    The authentication mode is configured.

  4. Run authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 }

    The authentication algorithm is configured.

    NOTE:

    To improve the system security, using the MD5/SHA1 authentication algorithm for the IKE negotiation is not recommended.

  5. Run encryption-algorithm { 3des-cbc | aes-cbc [ 128 | 192 | 256 ] | des-cbc | sm4-cbc }

    The encryption algorithm is configured.

    NOTE:

    To improve the system security, using the DES-CBC/3DES-CBC encryption algorithm for the IKE negotiation is not recommended.

    During the actual use, the SM4 algorithm on some devices follows the draft standard GM/T XXXX-2013, while the SM4 algorithm on router follows the standard GM/T 0022-2014, which will lead to a communication failure. To solve this problem, you can run ipsec sm4 version to configure the SM4 algorithm to follow the draft standard GM/T XXXX-2013.

  6. Run dh { group1 | group2 | group5 | group14 }

    The DH group ID is configured.

  7. (Optional) Run integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 }

    The integrity algorithm is configured.

    The configuration is valid only for the IKEv2 protocol.

    NOTE:

    To improve the system security, using the AES-XCBC-96, HMAC-MD5-96 and HMAC-SHA1-96 integrity algorithms for the IKEv2 negotiation is not recommended.

  8. Run sa duration sa-duration

    The SA duration is configured.

  9. (Optional) Run re-authentication interval reauth-time

    The re-authentication duration of IKEv2 SA is configured.

  10. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19817

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next