Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH2UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
AUTH1UserResourceIdentifier{userKey=8a00a0c86e9b2550016ec54396b5000a, userName='null'}
JIRAIDAUTHSBX-125990
REV5UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cd5909df, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a02355cd1c2f0155cd26cb1f0553, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a0c8613a801e016164cf6aad0021, userName='null'}

Include Page
_FIPS_140_3_security_restrictions
_FIPS_140_3_security_restrictions

...

Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie–Hellman key exchange to set up a shared session secret from which the cryptographic keys are derived. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. 

This Key Management Protection Profile specifies the encryption algorithm, the maximum SA lifetime, and other SA conditions, for the peer. These properties are linked to each IKE peer that is provisioned with this profile.

A user can specify one or more DH groups from the

Spacevars
0product
supported list of DH groups.

  • The
    Spacevars
    0product
    lists the configured DH groups in the descending order of their bit size while negotiating the protection mechanisms as initiator role as part of the SA payload.
  • As responder, the
    Spacevars
    0product
    selects the first DH group in the list offered by peer, which is supported and enabled on
    Spacevars
    0product
    side.
  • The
    Spacevars
    0product
    uses DH Group-2 as default if the user does not specify any group. 

 The

Spacevars
0series4
supports the following DH groups: 

  • DH Group 1: 768 bit
  • DH Group 2: 1024 bit (default)
  • DH Group 5: 1536 bit
  • DH Group 14: 2048 bit
Note

The higher group numbers are more secure, but require additional time to compute the key.

See IPsec for Signaling for an in-depth feature description.

See IPsec Peer - CLI to configure IPSec peer for the IKE protocol version using CLI.

Command Syntax

Code Block
languagenone
% set profiles security ikeProtectionProfile <profile name> 
	algorithms 
		dhGroup <modp768 | modp1024 | modp1536 | modp2048>
		encryption <_3DesCbc | aesCbc128>
		integrity <hmacMd5 | hmacSha1 | hmacSha256>
	dpdInterval <interval #>
	pfsRequired <disabled | enabled>
	saLifetimeTime <1200-1000000 seconds> 

Command Parameters

Warning

The following restrictions apply when the FIPS mode is enabled:

  • IKE Protection Profile dhGroups modp768, modp1024, and modp1536 are blocked. You must set dhGroup to modp2048.
  • IKE Protection Profile encryption 3descbc is not allowed.
  • IKE Protection Profile integrity hmacmd5 is not allowed.


The Key Management Protection Profile parameters are as shown below:

...

0Table
1Key Management Protection Profile Parameters

Parameter

Length/Range

Description

ikeProtectionProfile

1-23

The name of the Key Management Protection Profile. This profile specifies the encryption algorithm, the maximum SA lifetime, and the replay rules for an SPD entry. The 

Spacevars
0product
uses these properties when it forms an IPSec association with a peer.

algorithms

N/A

IKE Protection Profile ESP protocol cipher configurations.

  • dhGroup – This parameter specifies the DH group(s) supported in IKE exchange.
    • modp768
    • modp1024 (default)
    • modp1536
    • modp2048
  • encryption – IKE Protection Profile Encryption Cipher.
    • _3DesCbc
    • aesCbc128 (default)
  • integrity – The IKE Protection Profile Integrity Cipher.
    • hmacMd5
    • hmacSha1 (default)
    • hmacSha256

dpdInterval

10-3600, or "noDpd"

IKE Protection Profile Dead Peer Detection test interval period, in seconds. To disable DPD, enter noDpd. (default = 30).

pfsRequiredN/A

Enable flag to require PFS use during IPSec SA negotiation.

  • disabled (default)
  • enabled 

saLifetimeTime

1200-1000000

IKE Protection Profile SA Lifetime setting, in seconds. (default = 28,800, which equals 8 hours)

Command Example

Code Block
languagenone

...

set profiles security ikeProtectionProfile IkeProfile algorithms dhGroup modp2048 encryption aesCbc128 integrity hmacSha256

...

set profiles security ikeProtectionProfile IkeProfile dpdInterval 40 pfsRequired enabled saLifetimeTime 14400

...

show profiles security ikeProtectionProfile IkeProfile
saLifetimeTime 14400;
algorithms {
    encryption aesCbc128;
    integrity  hmacSha256;
    dhGroup    modp2048;
}
dpdInterval    40;
pfsRequired    enabled;