Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE uses a Diffie–Hellman key exchange to set up a shared session secret from which the cryptographic keys are derived. Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
This Key Management Protection Profile specifies the encryption algorithm, the maximum SA lifetime, and other SA conditions, for the peer. These properties are linked to each IKE peer that is provisioned with this profile.
A user can specify one or more DH groups from the
Unable to show "metadata-from": No such page "_space_variables"
supported list of DH groups.- The Unable to show "metadata-from": No such page "_space_variables"lists the configured DH groups in the descending order of their bit size while negotiating the protection mechanisms as initiator role as part of the SA payload.
- As responder, the Unable to show "metadata-from": No such page "_space_variables"selects the first DH group in the list offered by peer, which is supported and enabled onUnable to show "metadata-from": No such page "_space_variables"side.
- The Unable to show "metadata-from": No such page "_space_variables"uses DH Group-2 as default if the user does not specify any group.
The
Unable to show "metadata-from": No such page "_space_variables"
supports the following DH groups: - DH Group 1: 768 bit
- DH Group 2: 1024 bit (default)
- DH Group 5: 1536 bit
- DH Group 14: 2048 bit
The higher group numbers are more secure, but require additional time to compute the key.
See IPsec for Signaling for an in-depth feature description.
See IPsec Peer - CLI to configure IPSec peer for the IKE protocol version using CLI.
Command Syntax
% set profiles security ikeProtectionProfile <profile name> algorithms dhGroup <modp768 | modp1024 | modp1536 | modp2048 > encryption <_3DesCbc | aesCbc128> integrity <hmacMd5 | hmacSha1 | hmacSha256 | hmacSha384 | hmacSha512> dpdInterval <interval #> pfsRequired <disabled | enabled> saLifetimeTime <1200-1000000 seconds>
Command Parameters
The Key Management Protection Profile parameters are as shown below:
Key Management Protection Profile Parameters
Parameter | Length/Range | Description |
|---|---|---|
| 1-23 | The name of the Key Management Protection Profile. This profile specifies the encryption algorithm, the maximum SA lifetime, and the replay rules for an SPD entry. The Unable to show "metadata-from": No such page "_space_variables" uses these properties when it forms an IPSec association with a peer. |
| N/A | IKE Protection Profile ESP protocol cipher configurations.
|
| 10-3600, or "noDpd" | IKE Protection Profile Dead Peer Detection test interval period, in seconds. To disable DPD, enter |
pfsRequired | N/A | Enable flag to require PFS use during IPSec SA negotiation.
|
| 1200-1000000 | IKE Protection Profile SA Lifetime setting, in seconds. (default = 28,800, which equals 8 hours) |
Command Example
% set profiles security ikeProtectionProfile IkeProfile algorithms dhGroup modp2048 encryption aesCbc128 integrity hmacSha256
% set profiles security ikeProtectionProfile IkeProfile dpdInterval 40 pfsRequired enabled saLifetimeTime 14400
% show profiles security ikeProtectionProfile IkeProfile
saLifetimeTime 14400;
algorithms {
encryption aesCbc128;
integrity hmacSha256;
dhGroup modp2048;
}
dpdInterval 40;
pfsRequired enabled;
Overview
Content Tools