Huawei v200r001 User Manual

User Manual - Configuration Guide  (Volume 3)
Versatile Routing Platform

Configuration of IKE

5-5

Table SC-5-6  Select DH group ID

Select DH group ID

Restore the default value of DH group ID

By default, 768-bit Diffie-Hellman group (Group 1) is selected.

Lifetime means how long IKE exists before it becomes invalid. When IKE begins
negotiation, the first thing for it to do is to make its security parameters of the two
parties be consistent. SA quotes the consistent parameters at each terminal, and each
terminal keeps SA until its lifetime expires. Before SA becomes invalid, it can be
negotiated by the subsequent IKE to be reused. The new SA is negotiated before the
current SA becomes invalid.

The shorter the lifetime is (to a critical point), the more secure the IKE negotiation is.
But to save time for setting IPSec, the longer IKE SA lifetime should be configured.

If the policy lifetimes of two terminals are different, only when the lifetime of originating
terminal must be greater than or equal to that of the peer end can IKE policy can be
selected, and the shorter lifetime should be selected as IKE SA lifetime.

Perform the following tasks in IKE policy configuration mode.

Table SC-5-7  Set lifetime of IKE negotiation SA

Set lifetime of IKE SA

lifetime seconds

Set lifetime as the default value

By default, SA lifetime is 86400 seconds (a day). It is recommended that the configured
seconds should be greater than 10 minutes.

Please perform the monitoring and maintenance in privileged user mode.

Table SC-5-8  Monitoring and maintenance of IKE

Show IKE security association parameter

Show IKE security policy

Clear an SA

clear crypto ike sa connection-id

1)   Show IKE SA parameter
Quidway# show crypto ike sa

conn-id    peer        flags     phase       doi
1       202.38.0.2     RD|ST       1        IPSEC
2       202.38.0.2     RD|ST       2        IPSEC