Configuring IKE 589
■ Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC
anamorphosis) algorithm
■ Authentication method: RSA signature or RSA real-time encryption
■ Diffie-Hellman group ID
■ SA lifetime
To negotiate the IKE policies used by two ends, the initiator sends all the IKE
policies to the peer to negotiate the public IKE policy used by both sides. The
remote terminal will match the received policy with all of its IKE policies as per the
precedence order. The one of highest precedence will be first judged. If one IKE
policy is found to have the same encryption, hash, authentication and
Diffie-Hellman parameters with the received IKE policy, and its life cycle is equal to
or longer than that specified by the received IKE policy, then the common IKE
policy at both ends can be determined. (Note that if no life cycle is specified for
the IKE policy, the relatively short policy life cycle of the remote terminal will be
selected.) Then, IPSec security path will be created by using the IKE policy to
protect the following data. Otherwise, IKE refuses negotiation, and will not create
IPSec security path.
The following issues should be decided before configuring IKE:
■ Determine the intensity of the authentication algorithm, encryption algorithm
and Diffie-Hellman algorithm (the calculation resources consumed and the
security capability provided). Different algorithms are of different intensities,
and the higher the algorithm intensity is, the more difficult it is to decode the
protected data, but the more resources are consumed. The longer key usually
has higher algorithm intensity.
■ Determine the security protection intensity needed in IKE exchange (including
hashing algorithm, encryption algorithm, ID authentication algorithm and DH
algorithm).
■ Determine the authentication algorithm, encryption algorithm, hashing
algorithm and Diffie-Hellman group.
■ Determine the pre-shared key of both parties.
■ Create IKE policy
The user can create multiple IKE policies, but must allocate a unique priority value
for each created policy. Both parties in negotiation must have at least one
matched policy for successfully negotiation, that is to say, a policy and the one in
the remote terminal must have the same encryption, hashing, authentication and
Diffie-Hellman parameters (the lifetime parameters may be a little different). If it is
found that there are multiple matching policies after negotiation, the matching
policy with higher priority will be matched first.
Perform the following configurations in system view.
Table 656 Create IKE Policy
Operation Command
Create IKE policy and enter IKE proposal
view
ike proposal policy-number
Delete IKE policy undo ike proposal policy-number