ike proposal
Function
The ike proposal command creates an IKE proposal and displays the IKE proposal view.
The undo ike proposal command deletes the IKE proposal.
By default, an IKE proposal Default with the lowest priority is available.
Table 1 describes the default configuration of an IKE proposal.
Parameter |
Default Configuration |
|---|---|
Authentication method |
Pre-shared key authentication |
Encryption algorithm |
|
Diffie-Hellman (DH) group parameter |
DH14 |
IKE SA lifetime |
86400 seconds |
IKEv1 authentication algorithm |
|
IKEv2 pseudo-random function algorithm |
SHA2-256 |
IKEv2 integrity function algorithm |
SHA2-256 |
Parameters
| Parameter | Description | Value |
|---|---|---|
| proposal-number | Specifies the number of an IKE proposal. A smaller value indicates a higher priority. |
|
| default | Specifies the default IKE proposal. NOTE:
This parameter is not supported
on a virtual system. |
- |
Usage Guidelines
An IKE proposal is a component of an IKE peer and defines IKE negotiation parameters, including the encryption algorithm, authentication method, authentication algorithm, DH group, and SA lifetime.
A smaller IKE proposal number indicates a higher priority. You can create multiple IKE proposals with different priorities. The negotiation succeeds if any IKE proposal is matched.
You can configure multiple IKE proposals for each IKE peer. The proposals will be tried in descending order of security level until a matching proposal is found. During an IKE negotiation, the initiator sends its IKE proposal to the remote end, and the remote end uses its IKE proposals starting from the highest priority to match the received proposal before a match is found. The matched IKE proposal will be used to create an IKE IPSec tunnel.
The negotiation mode of an IKE proposal varies depending on the IKE negotiation mode:
Main mode
In main mode, if an IKE proposal is specified in the IKE peer that initiates IKE negotiation, only the specified IKE proposal is sent during IKE negotiation. The responder searches for only the IKE proposal matching with that specified by the initiator. If such IKE proposal cannot be found, the negotiation fails.
If no IKE proposal is specified in the IKE peer that initiates IKE negotiation, all IKE proposals are sent during IKE negotiation. The responder searches for the IKE proposals matching with these proposals sent by the initiator one by one.
In a scenario where no IKE proposal is specified in the IKE peer that initiates IKE negotiation and the authentication mode is not specified in the IKE proposal of the responder, the responder will search for the IKE proposals matching with the proposals sent by the initiator one by one, if two IKE proposals that are the same except for the authentication mode are found, the device cannot identify these two IKE proposals. This may cause the responder to reference an incorrect IKE proposal and result in a negotiation failure.Aggressive mode
In aggressive mode, if an IKE proposal is specified in the IKE peer that initiates IKE negotiation, the case is the same as that in main mode.
If no IKE proposal is specified in the IKE peer that initiates IKE negotiation, only the default IKE proposal is sent during IKE negotiation. The responder also matches this IKE proposal with the default IKE proposal.
Follow-up Procedure
Run the ike-proposal command in the IKE peer view to reference the IKE proposal.