User`s guide
212
Encryption
Defines the encryption algorithm used. The options are:
• None
• DES
• 3DES
• AES (128 bit keys)
• AES (192 bit keys)
• AES (256 bit keys)
Authentication
Defines the authentication algorithm used. The options are:
• None
• MD5
• SHA1
PRF Algorithm
Defines the PRF (Pseudo Random Function) algorithm used. The options are:
• MD5
• SHA1
MODP Group for Phase 1
Sets the key length used in the IKE Diffie-Hellman exchange to768 bits (group 1) or
1024 bits (group 2). Normally this option is set to group 1 and this is sufficient for
normal use. For particularly sensitive applications, you can improve security by selecting
group 2 to enable a 1024 bit key length. Note however that this will slow down the
process of generating the phase 1 session keys (typically from 1-2 seconds for group 1),
to 4-5 seconds.
Renegotiate after h hrs m mins s secs
Determines how long the initial IKEv2 Security Association will stay in force. When it expires
any attempt to send packets to the remote system will result in IKE attempting to establish
a new SA.
Rekey after h hrs m mins s secs
When the time left until expiry for this SA reaches the value specified by this parameter, the
IKEv2 SA will be renegotiated, i.e. a new IKEv2 SA is negotiated and the old SA is removed.
Any IPSec “child” SAs that were created are retained and become “children” of the new SA.
Related CLI Commands
Entity
Instance
Parameter
Values
Equivalent Web Parameter
ike2 n iencalg des, 3des, aes Encryption
ike2 n ienkeybits 128, 192, 256 Encryption (AES Key length)
ike2 n iauthalg md5, sha1 Authentication
ike2 n iprfalg md5, sha1 PRF Algorithm
ike2 n idhgroup 1, 2, 5 MODP Group for Phase 1
ike2 n ltime 1 - 28800
Renegotiate after h hrs m mins s
secs
This CLI value is entered in seconds