< Home

Configuring an IKE Proposal

Context

An IKE proposal defines IKE negotiation parameters, including the encryption algorithm, authentication method, authentication algorithm, Diffie-Hellman (DH) group, and security association (SA) lifetime.

During IKE negotiation, the initiator sends its own IKE proposal to the peer end for matching. The responder starts with the highest-priority IKE proposal and matches the peer in the order of priority until it finds a matching IKE proposal to use. The matching IKE proposal will be used to establish an IKE tunnel.

A smaller IKE proposal number indicates a higher priority. You can create multiple IKE proposals with different priorities. The two ends must have at least one matching IKE proposal for IKE negotiation.

Two matching IKE proposals define the same encryption algorithm, authentication method, authentication algorithm, and DH group. If both ends have a different IKE SA lifetime, the two ends use the smaller IKE SA lifetime for IKE negotiation.

By default, there is an IKE proposal that has the lowest priority and uses default parameter settings. If only the sequence number is specified during the creation of an IKE proposal, this IKE proposal also uses default parameter settings.

When a Huawei device is connected to a non-Huawei device using IKEv1, and the non-Huawei device cannot perform IKE negotiation with the Huawei device because it receives too many IKE proposals, you are advised to configure an IKE proposal on the Huawei device based on the parameters supported by the non-Huawei device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ike proposalproposal-number

    An IKE proposal is created and the IKE proposal view is displayed.

  3. Run authentication-method { pre-share | rsa-signature | digital-envelope }

    An authentication method is configured.

    By default, an IKE proposal uses pre-shared key authentication.

    The authentication methods in the IKE proposals used by the IKE peer must be the same. Otherwise, IKE negotiation fails.

    When IKE peers use IKEv2 for negotiation, you need to run the re-authentication interval command to make the configured authentication method take effect.

    IPSec 6 does not support RSA digital envelope authentication.

  4. Run authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 | sm3 } *

    The authentication algorithm used in IKEv1 negotiation is configured.

    By default, the SHA2-256 authentication algorithm is used in IKEv1 negotiation.

    An authentication algorithm needs to be configured for IKEv1 negotiation. The following authentication algorithms are listed in descending order of security level: SM3, SHA2-512, SHA2-384, SHA2-256, SHA1, MD5.

    The MD5 and SHA1 algorithms are susceptible to attacks and their use is not recommended.

    In IKEv1 certificate negotiation, if the authentication algorithm sha2-512 is configured, the RSA key length must be greater than 1024.

    If the device is connected to a peer device running V100R001 and the peer device uses IKEv1 for negotiation, the authentication algorithm used by the local device must be the same as that used by the peer device.

  5. Run encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256

    The encryption algorithm used in IKE negotiation is configured.

    By default, the AES-256 encryption algorithm is used in IKE negotiation.

    The following encryption algorithms are listed in descending order of security level: SM4, AES-256, AES-192, AES-128, 3DES, and DES.

    The DES and 3DES algorithms are susceptible to attacks and their use is not recommended.

  6. Run dh { group1 | group2 | group5 | group14 | group15 | group16 | group18 | group19 | group20 | group21 | group24 } *

    The DH group used in IKE negotiation is configured.

    By default, the DH group, group14, is used in IKE negotiation.

    The security level order of the DH groups is: group24 > group21 > group20 > group19 > group18 > group16 > group15 > group14 > group5 > group2 > group1.

    The DH groups, group1, group2, and group5 are susceptible to attacks and their use is not recommended.

    If the negotiation mode in IKEv1 phase 1 is aggressive, the device supports only one DH group. If multiple DH groups are configured on the device, the DH group configured first takes effect.

  7. Run prf { aes-xcbc-128 | hmac-md5 | hmac-sha1 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 } *

    The pseudo-random function (PRF) algorithm used in IKEv2 negotiation is configured.

    By default, the HMAC-SHA2-256 PRF algorithm is used in IKEv2 negotiation.

    The HMAC-MD5 and HMAC-SHA1 algorithms are susceptible to attacks and their use is not recommended.

    If the device is connected to a peer device running V100R001 and the peer device uses IKEv2 for negotiation, the PRF algorithm used by the local device must be the same as the authentication algorithm used by the peer device.

  8. Run integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 } *

    The integrity algorithm used in IKEv2 negotiation is configured.

    By default, the HMAC-SHA2-256 integrity algorithm is used in IKEv2 negotiation.

Parent Topic: Configuring IKE-CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >