Configuring IKE 591
There are two hashing algorithm options: SHA-1 and MD5. Both algorithms
provide data source authentication and integrity protection mechanism.
Compared with MD5, SHA-1 contained more summary information, and is more
secure, but the authentication speed is relatively slow. A kind of attack subject to
MD5 can be successful, though difficult, but HMAC anamorphous used by IKE can
stop such attacks.
Perform the following configurations in IKE proposal view.
Table 660 Select Hashing Algorithm
By default SHA-1 hashing algorithm (i.e., parameter sha) is adopted.
Selecting DH Group ID There are two DH (Diffie-Hellman) group ID options: 768-bit Diffie-Hellman group
(Group 1) or 1024-bit Diffie-Hellman group (Group 2). The 1024-bit Diffie-Hellman
group (Group 2) takes longer CPU time
Perform the following configurations in IKE proposal view.
Table 661 Select DH Group ID
By default, 768-bit Diffie-Hellman group is selected.
Setting the Lifetime of
IKE Association SA
Lifetime means how long IKE exists before it becomes invalid. When IKE begins
negotiation, it must first make its security parameters of the two parties be
consistent. SA quotes the consistent parameters at each terminal, and each
terminal keeps SA until its lifetime expires. Before SA becomes invalid, the sequent
IKE negotiation can use it again. The new SA is negotiated before the current SA
becomes invalid.
IKE negotiation can be set with a relatively short life cycle for the purpose of
improving IKE negotiation security. There is a critical IKE life cycle value. If the
policy lifetimes of the two terminals are different, that of the originating party will
be taken as the lifetime of the IKE SA.
If the policy lifetimes of two terminals are different, only when the lifetime of
originating terminals is reater than or equal to that of the peer end can the IKE
policy be selected, and the shorter lifetime selected as IKE SA lifetime.
Perform the following configurations in IKE proposal view.
Table 662 Set Lifetime of IKE Negotiation SA
Operation Command
Select hashing algorithm authentication-algorithm { md5 | sha
Set hashing algorithm to the default value undo authentication-algorithm
Operation Command
Select DH group ID dh { group1 | group2 }
Restore the default value of DH group ID undo dh
Operation Command
Set lifetime of IKE SA sa duration seconds
Set lifetime as the default value undo sa duration