Page History
Add_workflow_for_techpubs | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
...
Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie–Hellman key exchange to set up a shared session secret from which the cryptographic keys are derived. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
This Key Management Protection Profile specifies the encryption algorithm, the maximum SA lifetime, and other SA conditions, for the peer. These properties are linked to each IKE peer that is provisioned with this profile.
A user can specify one or more DH groups from the
Spacevars | ||
---|---|---|
|
- The
lists the configured DH groups in the descending order of their bit size while negotiating the protection mechanisms as initiator role as part of the SA payload.Spacevars 0 product - As responder, the
selects the first DH group in the list offered by peer, which is supported and enabled onSpacevars 0 product
side.Spacevars 0 product - The
uses DH Group-2 as default if the user does not specify any group.Spacevars 0 product
The
Spacevars | ||
---|---|---|
|
- DH Group 1: 768 bit
- DH Group 2: 1024 bit (default)
- DH Group 5: 1536 bit
- DH Group 14: 2048 bit
Note |
---|
The higher group numbers are more secure, but require additional time to compute the key. |
See IPsec for Signaling for an in-depth feature description.
See IPsec Peer - CLI to configure IPSec peer for the IKE protocol version using CLI.
Command Syntax
Code Block | ||
---|---|---|
| ||
% set profiles security ikeProtectionProfile <profile name>
algorithms
dhGroup <modp768 | modp1024 | modp1536 | modp2048>
encryption <_3DesCbc | aesCbc128>
integrity <hmacMd5 | hmacSha1 | hmacSha256>
dpdInterval <interval #>
pfsRequired <disabled | enabled>
saLifetimeTime <1200-1000000 seconds> |
Command Parameters
Warning |
---|
The following restrictions apply when the FIPS mode is enabled:
|
The Key Management Protection Profile parameters are as shown below:
...
0 | Table |
---|---|
1 | Key Management Protection Profile Parameters |
Parameter | Length/Range | Description | ||||
---|---|---|---|---|---|---|
| 1-23 | The name of the Key Management Protection Profile. This profile specifies the encryption algorithm, the maximum SA lifetime, and the replay rules for an SPD entry. The
| ||||
| N/A | IKE Protection Profile ESP protocol cipher configurations.
| ||||
| 10-3600, or "noDpd" | IKE Protection Profile Dead Peer Detection test interval period, in seconds. To disable DPD, enter | ||||
pfsRequired | N/A | Enable flag to require PFS use during IPSec SA negotiation.
| ||||
| 1200-1000000 | IKE Protection Profile SA Lifetime setting, in seconds. (default = 28,800, which equals 8 hours) |
Command Example
Code Block | ||
---|---|---|
|
...
set profiles security ikeProtectionProfile IkeProfile algorithms dhGroup modp2048 encryption aesCbc128 integrity hmacSha256
|
...
set profiles security ikeProtectionProfile IkeProfile dpdInterval 40 pfsRequired enabled saLifetimeTime 14400
|
...
show profiles security ikeProtectionProfile IkeProfile
saLifetimeTime 14400;
algorithms {
encryption aesCbc128;
integrity hmacSha256;
dhGroup modp2048;
}
dpdInterval 40;
pfsRequired enabled; |