Huawei v200r001 用户手册
User Manual - Configuration Guide (Volume 3)
Versatile Routing Platform
Versatile Routing Platform
Chapter 5
Configuration of IKE
5-3
z Determine the intensity of authentication algorithm, encryption algorithm and
Diffie-Hellman algorithm (i.e., the calculation resources consumed and the security
capability provided). Different algorithms are of different intensities, and the higher
the algorithm intensity is, the more difficult it is to decode the protected data, but the
more the consumed resources are. The longer key usually has higher algorithm
intensity.
capability provided). Different algorithms are of different intensities, and the higher
the algorithm intensity is, the more difficult it is to decode the protected data, but the
more the consumed resources are. The longer key usually has higher algorithm
intensity.
z Determine the security protection intensity needed in IKE exchange (including
hashing algorithm, encryption algorithm, ID authentication algorithm and DH
algorithm).
algorithm).
z Determine the authentication algorithm, encryption algorithm, hashing algorithm
and Diffie-Hellman group.
z Determine the pre-shared key of both parties.
1) Create IKE policy
1) Create IKE policy
The user can create multiple IKE policies, but must allocate a unique priority value for
each created policy. Both parties in negotiation must have at least one matched policy
for successfully negotiation, that is to say, a policy and the one in the remote terminal
must have the same encryption, hashing, authentication and Diffie-Hellman
parameters (the lifetime parameters may be a little different). If it is found there are
multiple matching policies after negotiation, the one with higher priority will be matched
first.
each created policy. Both parties in negotiation must have at least one matched policy
for successfully negotiation, that is to say, a policy and the one in the remote terminal
must have the same encryption, hashing, authentication and Diffie-Hellman
parameters (the lifetime parameters may be a little different). If it is found there are
multiple matching policies after negotiation, the one with higher priority will be matched
first.
Please perform the following tasks in global configuration mode.
Table SC-5-1 Create IKE policy
Operation
Command
Create IKE policy and enter IKE policy configuration mode
crypto ike policy priority
Delete IKE policy
no crypto ike policy priority
No IKE security policy is created by default.
5.2.3 Select Encryption Algorithm
There is only one encryption algorithm: 56-bit DES-Cipher Block Chaining (DES-CBC).
Before being encrypted, each plain text block will perform exclusive-OR operation with
an encryption block, thus the same plain text block will never map the same encryption
and the security is enhanced.
Before being encrypted, each plain text block will perform exclusive-OR operation with
an encryption block, thus the same plain text block will never map the same encryption
and the security is enhanced.
Please perform the following tasks in IKE policy configuration mode.
Table SC-5-2 Select encryption algorithm
Operation
Command
Select encryption algorithm
encryption des-cbc
Set the encryption algorithm to the default value
no encryption
By default, DES-CBC encryption algorithm (i.e. parameter des-cbc) is adopted.
5.2.4 Select Authentication Algorithm
There is only one authentication algorithm: pre-share key
Please perform the following tasks in IKE policy configuration mode.