Configuring IKE Proposal
The IKE proposal defines a set of attribute data to describe how IKE negotiation implements security communications. Configuring an IKE proposal includes creating an IKE proposal, selecting the encryption algorithm, authentication mode, authentication algorithm, and Diffie-Hellman identifier, and setting the duration of the SA.
Context
Parameters defined by the IKE proposal are used to negotiate the IKE SA establishment. You can configure multiple IKE proposals on each end. During the negotiation, IKE proposals are matched from the one with the highest priority. The match principle is as follows: Both parties use the same encryption algorithm, authentication algorithm, authentication method, and DH group ID to negotiate with each other. The lifetime is determined by the party that initiates the negotiation and does not need to be matched on both ends.
The negotiation modes vary with the IKE negotiation modes.
Main mode
If the negotiation initiating party specifies an IKE proposal on the IKE peer, only the specified IKE protocol can be sent during the IKE negotiation. The response party matches the specified IKE protocol against its IKE proposals. If no IKE proposal is matched, the negotiation fails.
If the negotiation initiating party does not specify any IKE proposal on the IKE peer, all IKE proposals of the initiating party are sent during the IKE negotiation. The response party matches the IKE proposals against its IKE proposals in sequence.
Aggressive mode
If the negotiation initiating party specifies an IKE proposal on the IKE peer, the processing mechanism is the same as that of the main mode.
If the negotiation initiating party does not specify any IKE proposal on the IKE peer, only the default IKE proposal of the initiating party is sent during the IKE negotiation. The response party also matches the IKE proposals against its default IKE proposal.
The system provides a default IKE proposal that is configured with the lowest priority and default encryption algorithm, authentication algorithm, group ID, lifetime, and authentication method.
The encryption algorithm is AES-CBC-256.
The authentication algorithm is SHA2-256.
The authentication method is Pre-Shared Key.
The lifetime is 86400s.
If the preceding parameters are not configured for a new IKE proposal, the default values can be used. You can run the display ike proposal command to view configured IKE proposals (including the default IKE proposal).
After parameters of an IKE proposal are modified, the modification takes effect in the next tunnel negotiation instead of tunnels that have been negotiated.
Procedure
Run:
system-view
The system view is displayed.
Run:
ike proposal proposal-number
IKE proposals are created and the IKE proposal view is displayed.
Run:
authentication-method { pre-share | rsa-sig }
The authentication mode is configured.
Run:
authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 }
The authentication algorithm is configured.
NOTE:
To improve the system security, using the MD5 authentication algorithm for the IKE negotiation is not recommended.
Run:
encryption-algorithm { 3des-cbc | aes-cbc [ 128 | 192 | 256 ] | des-cbc | sm4-cbc }
The encryption algorithm is configured.
NOTE:
To improve the system security, using the DES-CBC encryption algorithm for the IKE negotiation is not recommended.
Run:
dh { group1 | group2 | group5 | group14 }
The DH group ID is configured.
(Optional) Run:
integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 }
The integrity algorithm is configured.
The configuration is valid only for the IKEv2 protocol.
NOTE:
To improve the system security, using the HMAC-MD5-96 and HMAC-SHA1-96 integrity algorithms for the IKEv2 negotiation is not recommended.
Run:
sa duration sa-duration
The SA duration is configured. Setting the default value is recommended, and setting the minimum value is not recommended.
(Optional) Run:
re-authentication interval reauth-time
The re-authentication duration of IKEv2 SA is configured. Setting the default value is recommended, and setting the minimum value is not recommended.
Run:
commit
The configuration is committed.
