IPsec - Configuring IKEv1 proposal Destacado

287 0 3 0

Configuring IKE Proposal

The IKE proposal defines a set of attribute data to describe how IKE negotiation implements security communications. Configuring an IKE proposal includes creating an IKE proposal, selecting the encryption algorithm, authentication mode, authentication algorithm, and Diffie-Hellman identifier, and setting the duration of the SA.


Context

Parameters defined by the IKE proposal are used to negotiate the IKE SA establishment. You can configure multiple IKE proposals on each end. During the negotiation, IKE proposals are matched from the one with the highest priority. The match principle is as follows: Both parties use the same encryption algorithm, authentication algorithm, authentication method, and DH group ID to negotiate with each other. The lifetime is determined by the party that initiates the negotiation and does not need to be matched on both ends.


The negotiation modes vary with the IKE negotiation modes.


Main mode


If the negotiation initiating party specifies an IKE proposal on the IKE peer, only the specified IKE protocol can be sent during the IKE negotiation. The response party matches the specified IKE protocol against its IKE proposals. If no IKE proposal is matched, the negotiation fails.


If the negotiation initiating party does not specify any IKE proposal on the IKE peer, all IKE proposals of the initiating party are sent during the IKE negotiation. The response party matches the IKE proposals against its IKE proposals in sequence.


Aggressive mode


If the negotiation initiating party specifies an IKE proposal on the IKE peer, the processing mechanism is the same as that of the main mode.


If the negotiation initiating party does not specify any IKE proposal on the IKE peer, only the default IKE proposal of the initiating party is sent during the IKE negotiation. The response party also matches the IKE proposals against its default IKE proposal.


The system provides a default IKE proposal that is configured with the lowest priority and default encryption algorithm, authentication algorithm, group ID, lifetime, and authentication method.


The encryption algorithm is AES-CBC-256.


The authentication algorithm is SHA2-256.


The authentication method is Pre-Shared Key.


The lifetime is 86400s.


If the preceding parameters are not configured for a new IKE proposal, the default values can be used. You can run the display ike proposal command to view configured IKE proposals (including the default IKE proposal).


After parameters of an IKE proposal are modified, the modification takes effect in the next tunnel negotiation instead of tunnels that have been negotiated.


Procedure

Run:

system-view

The system view is displayed.


Run:

ike proposal proposal-number

IKE proposals are created and the IKE proposal view is displayed.


Run:

authentication-method { pre-share | rsa-sig }

The authentication mode is configured.


Run:

authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 }

The authentication algorithm is configured.


 NOTE:

To improve the system security, using the MD5 authentication algorithm for the IKE negotiation is not recommended.


Run:

encryption-algorithm { 3des-cbc | aes-cbc [ 128 | 192 | 256 ] | des-cbc | sm4-cbc }

The encryption algorithm is configured.


 NOTE:

To improve the system security, using the DES-CBC encryption algorithm for the IKE negotiation is not recommended.


Run:

dh { group1 | group2 | group5 | group14 }

The DH group ID is configured.


(Optional) Run:

integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 }

The integrity algorithm is configured.


The configuration is valid only for the IKEv2 protocol.


 NOTE:

To improve the system security, using the HMAC-MD5-96 and HMAC-SHA1-96 integrity algorithms for the IKEv2 negotiation is not recommended.


Run:

sa duration sa-duration

The SA duration is configured. Setting the default value is recommended, and setting the minimum value is not recommended.


(Optional) Run:

re-authentication interval reauth-time

The re-authentication duration of IKEv2 SA is configured. Setting the default value is recommended, and setting the minimum value is not recommended.


Run:

commit

The configuration is committed.


  • x
  • convención:

Responder

Responder
Debe iniciar sesión para responder la publicación Inicio de sesión | Registrarse

Aviso Aviso: Para garantizar sus legítimos derechos e intereses, la comunidad y los terceros no publicarán contenido que pueda generar riesgos legales a las partes, por ejemplo, pornografía, contenido político, contenido sobre juego, consumo y tráfico de drogas, así como contenido que viole los derechos de propiedad intelectual de terceros, por ejemplo, secretos comerciales, marcas, derechos de autor, patentes y privacidad personal. No comparta su cuenta ni su contraseña con terceros. Todas las operaciones realizadas usando su cuenta se considerarán como sus acciones y todas las consecuencias que estas acciones generen serán responsabilidad suya. Para obtener información detallada, consulte la “ Política de privacidad.”
Si el botón para adjuntar no está disponible, actualice Adobe Flash Player con la versión más reciente
¡Ingresa y disfruta de todos los beneficios para los miembros!

¡Ingresa y disfruta de todos los beneficios para los miembros!

Aterrizaje