Huawei v200r001 User Manual
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Versatile Routing Platform
Chapter 5
Configuration of IKE
5-2
5.2 Configuring IKE
5.2.1 IKE Configuration Task List
IKE configuration task list is as follows:
z Create IKE security policy
z Select
z Create IKE security policy
z Select
encryption
algorithm
z Select authentication algorithm
z Configure
z Configure
pre-shared
key
z Select hashing algorithm
z Select DH group ID
z Set IKE negotiation SA lifetime
z Select DH group ID
z Set IKE negotiation SA lifetime
5.2.2 Creating IKE Security Policy
I. Why these policies should be created?
IKE negotiation must be protected, so each IKE negotiation begins when each terminal
comes to the public (shared) IKE policy, which describes which security parameter to
use to protect subsequent IKE negotiation.
comes to the public (shared) IKE policy, which describes which security parameter to
use to protect subsequent IKE negotiation.
When two terminals come to a policy, the security parameters of this policy are
identified by SA established by each terminal, and these SAs apply to all subsequent
IKE communication during negotiation. Multiple policies with priority must be created
on each terminal so as to ensure that at least one policy can match that of the remote
terminal.
identified by SA established by each terminal, and these SAs apply to all subsequent
IKE communication during negotiation. Multiple policies with priority must be created
on each terminal so as to ensure that at least one policy can match that of the remote
terminal.
II. Parameters to be defined in policy
z Encryption algorithm: at present, it includes only 56-bit DES-CBC (DES-Cipher
Block Chaining)
z Hashing algorithm: SHA-1(HMAC anamorphosis) or MD5 (HMAC anamorphosis)
algorithm
z Authentication method: RSA signature or RSA real-time encryption
z Diffie-Hellman group ID
z SA
z Diffie-Hellman group ID
z SA
lifetime
III. How to form matched policy
When IKE negotiation begins, IKE looks for a kind of IKE policy, which is consistent at
both terminals. The terminal that originates negotiation sends all its policies to the
remote terminal, and the latter will try to find a matched policy by comparing its policies
with highest priorities with those received from the former. When the policies from the
two terminals include the same encryption, hashing, authentication and Diffie-Hellman
parameters and when the specified lifetime of the policy from the remote terminal is
shorter than or equal to the compared policy lifetime, the matching selection is made (if
no lifetime is specified, the shorter one of the remote terminal policy will be used). If no
acceptable matched policy is found, IKE refuses to negotiate and will not establish
IPSec. If a matched policy is found, IKE will complete negotiation then create IPSec
security tunnel.
both terminals. The terminal that originates negotiation sends all its policies to the
remote terminal, and the latter will try to find a matched policy by comparing its policies
with highest priorities with those received from the former. When the policies from the
two terminals include the same encryption, hashing, authentication and Diffie-Hellman
parameters and when the specified lifetime of the policy from the remote terminal is
shorter than or equal to the compared policy lifetime, the matching selection is made (if
no lifetime is specified, the shorter one of the remote terminal policy will be used). If no
acceptable matched policy is found, IKE refuses to negotiate and will not establish
IPSec. If a matched policy is found, IKE will complete negotiation then create IPSec
security tunnel.
IV. Create IKE policy
The following should be clear before IKE configuration: