Modified: for 12.1.2
Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie–Hellman key exchange to set up a shared session secret from which the cryptographic keys are derived. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
This Key Management Protection Profile specifies the encryption algorithm, the maximum SA lifetime, and other SA conditions, for the peer. These properties are linked to each IKE peer that is provisioned with this profile.
A user can specify one or more DH groups from the SBC supported list of DH groups.
The SBC Core supports the following DH groups:
The higher group numbers are more secure, but require additional time to compute the key.
See IPsec for Signaling for an in-depth feature description.
See IPsec Peer - CLI to configure IPSec peer for the IKE protocol version using CLI.
% set profiles security ikeProtectionProfile <profile name> algorithms dhGroup <modp768 | modp1024 | modp1536 | modp2048 | modp3072> encryption <_3DesCbc | aesCbc128> integrity <hmacMd5 | hmacSha1 | hmacSha256 | hmacSha384 | hmacSha512> dpdInterval <interval #> pfsRequired <disabled | enabled> saLifetimeTime <1200-1000000 seconds>
The Key Management Protection Profile parameters are as shown below:
% set profiles security ikeProtectionProfile IkeProfile algorithms dhGroup modp2048 encryption aesCbc128 integrity hmacSha256 % set profiles security ikeProtectionProfile IkeProfile dpdInterval 40 pfsRequired enabled saLifetimeTime 14400 % show profiles security ikeProtectionProfile IkeProfile saLifetimeTime 14400; algorithms { encryption aesCbc128; integrity hmacSha256; dhGroup modp2048; } dpdInterval 40; pfsRequired enabled;