< Home

ike negotiate compatible

Function

The ike negotiate compatible command configures the responder to receive the IKE proposal and IPSec proposal of the IKE peer.

undo ike negotiate compatible command disables the responder from receiving the IKE proposal and IPSec proposal of the IKE peer.

By default, the responder does not receive the IKE proposal and IPSec proposal of the IKE peer.

Format

ike negotiate compatible

undo ike negotiate compatible

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During IPSec negotiation between IKE peers, if the responder of IPSec negotiation does not learn initiator's IPSec parameters (IKEv1 negotiation mode, and algorithm in the IKE proposal or security protocol, algorithm, and encapsulation mode in the IPSec proposal), run the ike negotiate compatible command to enable the responder to use the IPSec proposal of the initiator for negotiation. This ensures successful IPSec negotiation.

Precautions

When IKEv2 is used, after the ike negotiate compatible command is run on the responder, the default duration and traffic for IPSec SA aging are 604800 seconds and 0 (indicating that the traffic timeout function is disabled on the responder), respectively. As a result, the responder cannot proactively initiate IPSec SA re-negotiation.

After the ike negotiate compatible command is executed on the responder, the responder can use any supported algorithm to establish an IPSec tunnel. However, if the responder uses a less secure algorithm to establish an IPSec tunnel, there are security risks.

Example

# Configure the responder to receive the IKE proposal and IPSec proposal of the IKE peer.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] ike negotiate compatible
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >